Skip to content

fix(deps): update dependency mongoose to v6.13.9 [security]#227

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-mongoose-vulnerability
Open

fix(deps): update dependency mongoose to v6.13.9 [security]#227
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-mongoose-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Dec 3, 2024
edited
Loading

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
mongoose (source) 6.12.36.13.9 age confidence

Mongoose search injection vulnerability

CVE-2025-23061 / GHSA-vg7j-7cwx-8wgw

More information

Details

Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

Severity

  • CVSS Score: 9.0 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Mongoose search injection vulnerability

CVE-2024-53900 / GHSA-m7xq-9374-9rvx

More information

Details

Mongoose versions prior to 8.8.3, 7.8.3, 6.13.5, and 5.13.23 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

Severity

  • CVSS Score: 8.7 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Mongoose's Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection

CVE-2026-42334 / GHSA-wpg9-53fq-2r8h

More information

Details

Impact

This vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator.

When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that are recursively sanitized. Because $nor accepts an array (like $and and $or), and arrays do not trigger hasDollarKeys(), malicious operators such as $ne, $gt, or $regex could be injected inside a $nor clause without being sanitized.

This may lead to:

  • Authentication bypass
  • Unauthorized data access
  • Data exfiltration

Affected users:

Applications that:

  • Explicitly enable sanitizeFilter
  • Pass unsanitized user-controlled input directly into query methods (e.g., Model.findOne(req.body)) and rely on sanitizeFilter to strip out query selectors

Applications that validate input schemas, whitelist fields, or avoid passing raw request bodies into queries are not affected. For example, Model.findOne({ user: req.body.user, pwd: req.body.pwd }) is not affected.

Patches

Patches have been released for all supported Mongoose release lines:

  • ^6.13.9
  • ^7.8.9
  • ^8.22.1
  • ^9.1.6
Workarounds

Delete $nor keys, use an additional schema validation library, or write middleware to strip out $nor from query filters.

Resources

sanitizeFilter documentation: https://mongoosejs.com/docs/api/mongoose.html#Mongoose.prototype.sanitizeFilter()

Original blog post on sanitizeFilter: https://thecodebarbarian.com/whats-new-in-mongoose-6-sanitizefilter.html

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

Automattic/mongoose (mongoose)

v6.13.9

Compare Source

6.13.9 / 2026-02-04

  • fix: handle other top-level query operators in sanitizeFilter
  • types(aggregate): add $firstN, $lastN, $bottom, $bottomN, $minN and $maxN operators #​15303 #​15299
  • docs(compatibility): add note that Mongoose ^6.5 works with MongoDB server 7.x #​15427

v6.13.8

Compare Source

===================

  • chore: remove coverage output from bundle

v6.13.7

Compare Source

===================

  • chore: re-release to force npm audit to pick up 6.x fix for CVE-2025-23061

v6.13.6

Compare Source

===================

v6.13.5

Compare Source

===================

  • fix: disallow using $where in match

v6.13.4

Compare Source

===================

v6.13.3

Compare Source

===================

  • docs(migrating_to_6): document that Lodash _.isEmpty() with ObjectId() as a parameter returns true in Mongoose 6 #​11152

v6.13.2

Compare Source

===================

  • fix(document): make set() respect merge option on deeply nested objects #​14870 #​14878

v6.13.1

Compare Source

===================

v6.13.0

Compare Source

===================

  • feat(model): add throwOnValidationError option for opting into getting MongooseBulkWriteError if all valid operations succeed in bulkWrite() and insertMany() #​14599 #​14587 #​14572 #​13410

v6.12.9

Compare Source

===================

v6.12.8

Compare Source

===================

  • fix(document): handle virtuals that are stored as objects but getter returns string with toJSON #​14468 #​14446
  • fix(schematype): consistently set wasPopulated to object with value property rather than boolean #​14418
  • docs(model): add extra note about lean option for insertMany() skipping casting #​14415 #​14376

v6.12.7

Compare Source

===================

v6.12.6

Compare Source

===================

  • fix(collection): correctly handle buffer timeouts with find() #​14277
  • fix(document): allow calling push() with different $position arguments #​14254

v6.12.5

Compare Source

===================

  • perf(schema): remove unnecessary lookahead in numeric subpath check
  • fix(document): allow setting nested path to null #​14226
  • fix(document): avoid flattening dotted paths in mixed path underneath nested path #​14198 #​14178
  • fix: add ignoreAtomics option to isModified() for better backwards compatibility with Mongoose 5 #​14213

v6.12.4

Compare Source

===================

  • fix: upgrade mongodb driver -> 4.17.2
  • fix(document): avoid treating nested projection as inclusive when applying defaults #​14173 #​14115
  • fix: account for null values when assigning isNew property #​14172 #​13883

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added breaking This issue or pull request contain breaking changes dependencies Pull requests that update a dependency file labels Dec 3, 2024
@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v8 [security] fix(deps): update dependency mongoose to v8 [security] - autoclosed Dec 4, 2024
@renovate renovate Bot closed this Dec 4, 2024
@renovate renovate Bot deleted the renovate/npm-mongoose-vulnerability branch December 4, 2024 19:50
@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v8 [security] - autoclosed fix(deps): update dependency mongoose to v8 [security] Dec 4, 2024
@renovate renovate Bot reopened this Dec 4, 2024
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from a6e8dcf to 2843a58 Compare December 4, 2024 23:30
@renovate renovate Bot removed the breaking This issue or pull request contain breaking changes label Dec 4, 2024
@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v8 [security] fix(deps): update dependency mongoose to v6.13.5 [security] Dec 4, 2024
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from 2843a58 to a03ed04 Compare December 5, 2024 02:39
@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v6.13.5 [security] fix(deps): update dependency mongoose to v6.13.5 [security] - autoclosed Dec 8, 2024
@renovate renovate Bot closed this Dec 8, 2024
@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v6.13.5 [security] - autoclosed fix(deps): update dependency mongoose to v6.13.5 [security] Dec 8, 2024
@renovate renovate Bot reopened this Dec 8, 2024
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from 80522cf to a03ed04 Compare December 8, 2024 23:36
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from a03ed04 to 50bb577 Compare January 16, 2025 17:39
@renovate renovate Bot added the breaking This issue or pull request contain breaking changes label Jan 16, 2025
@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v6.13.5 [security] fix(deps): update dependency mongoose to v8 [security] Jan 16, 2025
@renovate renovate Bot removed the breaking This issue or pull request contain breaking changes label Jan 17, 2025
@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v8 [security] fix(deps): update dependency mongoose to v6.13.5 [security] Jan 17, 2025
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from 50bb577 to 64442c0 Compare January 17, 2025 20:15
@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v6.13.5 [security] fix(deps): update dependency mongoose to v6.13.6 [security] Jan 19, 2025
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from 64442c0 to ad99c71 Compare January 19, 2025 09:56
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from ad99c71 to 049971a Compare February 15, 2025 02:34
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from 049971a to 5e3e200 Compare August 10, 2025 13:50
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from 5e3e200 to 1a2c76e Compare November 10, 2025 19:01
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from 1a2c76e to 3843e52 Compare February 2, 2026 14:56
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from 3843e52 to b1b1aad Compare February 12, 2026 16:54
@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v6.13.6 [security] fix(deps): update dependency mongoose to v6.13.6 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v6.13.6 [security] - autoclosed fix(deps): update dependency mongoose to v6.13.6 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch 2 times, most recently from b1b1aad to d268b1e Compare March 30, 2026 21:50
@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v6.13.6 [security] fix(deps): update dependency mongoose to v6.13.6 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v6.13.6 [security] - autoclosed fix(deps): update dependency mongoose to v6.13.6 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch 2 times, most recently from d268b1e to 057a423 Compare April 27, 2026 23:36
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from 057a423 to 571c635 Compare May 6, 2026 21:14
@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v6.13.6 [security] fix(deps): update dependency mongoose to v6.13.9 [security] May 6, 2026
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from 571c635 to bd0d16d Compare May 12, 2026 11:36
@renovate

renovate Bot commented May 12, 2026
edited
Loading

Copy link
Copy Markdown
Contributor Author

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml
warn: This version of pnpm requires at least Node.js v22.13
warn: The current version of Node.js is v20.20.2
warn: Visit https://r.pnpm.io/comp to see the list of past pnpm versions with respective Node.js version support.
node:internal/modules/cjs/loader:1031
      throw new ERR_UNKNOWN_BUILTIN_MODULE(request);
            ^

Error [ERR_UNKNOWN_BUILTIN_MODULE]: No such built-in module: node:sqlite
    at Module._load (node:internal/modules/cjs/loader:1031:13)
    at Module.require (node:internal/modules/cjs/loader:1289:19)
    at require (node:internal/modules/helpers:182:18)
    at ../store/index/lib/index.js (file:///opt/containerbase/tools/pnpm/11.5.3/20.20.2/node_modules/pnpm/dist/pnpm.mjs:54998:25)
    at __init (file:///opt/containerbase/tools/pnpm/11.5.3/20.20.2/node_modules/pnpm/dist/pnpm.mjs:15:56)
    at ../resolving/npm-resolver/lib/index.js (file:///opt/containerbase/tools/pnpm/11.5.3/20.20.2/node_modules/pnpm/dist/pnpm.mjs:65888:5)
    at __init (file:///opt/containerbase/tools/pnpm/11.5.3/20.20.2/node_modules/pnpm/dist/pnpm.mjs:15:56)
    at ../workspace/projects-graph/lib/index.js (file:///opt/containerbase/tools/pnpm/11.5.3/20.20.2/node_modules/pnpm/dist/pnpm.mjs:66026:5)
    at __init (file:///opt/containerbase/tools/pnpm/11.5.3/20.20.2/node_modules/pnpm/dist/pnpm.mjs:15:56)
    at ../workspace/projects-filter/lib/index.js (file:///opt/containerbase/tools/pnpm/11.5.3/20.20.2/node_modules/pnpm/dist/pnpm.mjs:73445:5) {
  code: 'ERR_UNKNOWN_BUILTIN_MODULE'
}

Node.js v20.20.2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants