cbcvebase.

Mongoosejs Mongoose vulnerabilities

6 known vulnerabilities affecting mongoosejs/mongoose.

Total CVEs
6
CISA KEV
0
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL5HIGH1

Vulnerabilities

Page 1 of 1
CVE-2024-53900P1CRITICALCVSS 9.1ExploitedPoCfixed in 6.13.5≥ 7.0.1, < 7.8.3+6 more2024-12-02
CVE-2024-53900 [CRITICAL] CWE-89 CVE-2024-53900: Mongoose before 8.8.3 can improperly use $where in match, leading to search injection. Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.
nvd
CVE-2025-23061P2CRITICALCVSS 9.8PoCfixed in 6.13.6≥ 7.0.0, < 7.8.4+1 more2025-01-15
CVE-2025-23061 [CRITICAL] CVE-2025-23061: Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.
nvd
CVE-2022-2564P3CRITICALCVSS 9.8fixed in 5.13.15≥ 6.0.0, < 6.4.62022-07-28
CVE-2022-2564 [CRITICAL] CWE-1321 CVE-2022-2564: Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6. Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6.
nvd
CVE-2019-17426P3CRITICALCVSS 9.1≤ 5.7.42019-10-10
CVE-2019-17426 [CRITICAL] CVE-2019-17426: Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) b Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around this _bsontype special case that exists in older versio
nvd
CVE-2026-42334P3HIGHCVSS 7.5fixed in 6.13.9≥ 7.0.0, < 7.8.9+2 more2026-05-14
CVE-2026-42334 [HIGH] CWE-74 CVE-2026-42334: Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to
nvd
CVE-2023-3696P3CRITICALCVSS 9.8fixed in 5.13.20≥ 6.0.0, < 6.11.3+1 more2023-07-17
CVE-2023-3696 [CRITICAL] CWE-1321 CVE-2023-3696: Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4. Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4.
nvd
Mongoosejs Mongoose vulnerabilities | cvebase