mongoose

npm5 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting mongoosepage 1 of 1

CVE-2019-17426CRITICALCVSS 9.1EG 9.1✓ Fixed in 4.13.21
2019-10-10
Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a" can sometimes interfere with a query fil…
CVE-2022-2564CRITICALCVSS 9.8EG 9.8✓ Fixed in 5.13.15
2022-07-28
Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6.
CVE-2023-3696CRITICALCVSS 9.8EG 9.8✓ Fixed in 5.13.20
2023-07-17
Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4.
CVE-2024-53900CRITICALCVSS 9.1EG 9.1✓ Fixed in 5.13.23
2024-12-02
Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.
CVE-2026-42334HIGHCVSS 7.5EG 7.5✓ Fixed in 9.1.6
2026-05-14
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor o…

Check whether mongoose is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for mongoose CVEs against the assets you own.

Start Free Scan →