Skip to main content

Mongoose ODM EUVDEUVD-2026-30349

| CVE-2026-42334 HIGH
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-05-05 https://github.com/Automattic/mongoose GHSA-wpg9-53fq-2r8h
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 05, 2026 - 22:31 vuln.today
Analysis Generated
May 05, 2026 - 22:31 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 npm packages depend on mongoose (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 7.0.0.

DescriptionGitHub Advisory

Impact

This vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator.

When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that are recursively sanitized. Because $nor accepts an array (like $and and $or), and arrays do not trigger hasDollarKeys(), malicious operators such as $ne, $gt, or $regex could be injected inside a $nor clause without being sanitized.

This may lead to:

  • Authentication bypass
  • Unauthorized data access
  • Data exfiltration

Affected users:

Applications that:

  • Explicitly enable sanitizeFilter
  • Pass unsanitized user-controlled input directly into query methods (e.g., Model.findOne(req.body)) and rely on sanitizeFilter to strip out query selectors

Applications that validate input schemas, whitelist fields, or avoid passing raw request bodies into queries are not affected. For example, Model.findOne({ user: req.body.user, pwd: req.body.pwd }) is not affected.

Patches

Patches have been released for all supported Mongoose release lines:

  • ^6.13.9
  • ^7.8.9
  • ^8.22.1
  • ^9.1.6

Workarounds

Delete $nor keys, use an additional schema validation library, or write middleware to strip out $nor from query filters.

Resources

sanitizeFilter documentation: https://mongoosejs.com/docs/api/mongoose.html#Mongoose.prototype.sanitizeFilter()

Original blog post on sanitizeFilter: https://thecodebarbarian.com/whats-new-in-mongoose-6-sanitizefilter.html

AnalysisAI

Authentication bypass in Mongoose 6.x-9.x allows remote attackers to inject malicious MongoDB query operators via the $nor clause when sanitizeFilter is enabled. The vulnerability exists because Mongoose's sanitizeFilter mechanism fails to recursively sanitize the $nor logical operator, allowing injection of operators like $ne, $gt, or $regex that bypass authentication checks or extract unauthorized data. This affects only applications that explicitly enable sanitizeFilter and pass unsanitized user input directly into query methods while relying on sanitizeFilter for protection. Vendor-released patches are available for all supported release lines. No public exploit identified at time of analysis, though exploitation is straightforward for affected configurations.

Technical ContextAI

Mongoose is a MongoDB object data modeling (ODM) library for Node.js applications. The sanitizeFilter feature, introduced in Mongoose 6, is designed to prevent NoSQL injection by wrapping MongoDB query operators (e.g., $ne, $gt, $regex) in $eq to neutralize them. The vulnerability stems from an incomplete implementation of recursive sanitization logic for MongoDB's logical operators. While $and and $or were properly handled, $nor was omitted from the recursive sanitization routine. Because $nor accepts an array of conditions (similar to $and/$or) and arrays do not trigger Mongoose's hasDollarKeys() detection function, attackers can nest malicious query operators inside $nor clauses. The root cause aligns with CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) - specifically, incomplete sanitization of MongoDB-specific query syntax. This is a logic flaw in Mongoose's security feature implementation, not a MongoDB vulnerability.

RemediationAI

Upgrade Mongoose to patched versions immediately if you meet the affected configuration criteria: 6.13.9 or later for 6.x users, 7.8.9 or later for 7.x users, 8.22.1 or later for 8.x users, or 9.1.6 or later for 9.x users. These patch versions are confirmed by the GitHub security advisory GHSA-wpg9-53fq-2r8h. If immediate upgrade is not feasible, implement one of these compensating controls: (1) Add middleware to strip $nor keys from all incoming query filters before they reach Mongoose query methods - this prevents the attack vector entirely but may break legitimate use of $nor in your application logic; (2) Replace direct req.body passthrough with explicit field mapping (e.g., change Model.findOne(req.body) to Model.findOne({ username: req.body.username, password: req.body.password })) - this is the recommended long-term secure coding practice and eliminates reliance on sanitizeFilter; (3) Implement schema validation using libraries like Joi, Yup, or express-validator to whitelist allowed fields and reject MongoDB operators before queries execute - adds defense-in-depth but increases request processing overhead. Note that disabling sanitizeFilter is NOT a viable workaround as it would expose other injection vectors. Advisory and documentation available at https://mongoosejs.com/docs/api/mongoose.html#Mongoose.prototype.sanitizeFilter() and https://thecodebarbarian.com/whats-new-in-mongoose-6-sanitizefilter.html.

Share

EUVD-2026-30349 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy