{"id":"CVE-2026-42334","summary":"Mongoose: Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection","details":"Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that are recursively sanitized. Because $nor accepts an array (like $and and $or), and arrays do not trigger hasDollarKeys(), malicious operators such as $ne, $gt, or $regex could be injected inside a $nor clause without being sanitized. This vulnerability is fixed in 6.13.9, 7.8.9, 8.22.1, and 9.1.6.","aliases":["BIT-mongoose-2026-42334","GHSA-wpg9-53fq-2r8h"],"modified":"2026-07-08T08:11:24.653984837Z","published":"2026-05-14T18:03:43.196Z","database_specific":{"cwe_ids":["CWE-74"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42334.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/Automattic/mongoose/security/advisories/GHSA-wpg9-53fq-2r8h"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42334.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42334"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/automattic/mongoose","events":[{"introduced":"0"},{"fixed":"473a92e912012984534a52623d786ca4b94185f6"},{"introduced":"582156858db3ca7fbaa8950dc997e0d9e8117b21"},{"fixed":"472e7c7072e6696ead2cc06123b18a2068c1e04c"},{"introduced":"93c780b6e1c24a6b4ab42c14e64a2500da87a54b"},{"fixed":"dfff2a55455c8caa2ea964bcf650233de77290da"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"6.13.9"},{"introduced":"8.0.0"},{"fixed":"8.22.1"},{"introduced":"9.0.0"},{"fixed":"9.1.6"}],"source":"CPE_RANGE","cpe":"cpe:2.3:a:mongoosejs:mongoose:*:*:*:*:*:node.js:*:*"}}],"versions":["8.22.0","8.21.1","9.1.5","9.1.4","8.21.0","9.1.3","9.1.2","9.1.1","9.1.0","8.20.4","9.0.2","8.20.3","9.0.1","8.20.2","9.0.0","8.20.1","8.20.0","8.19.4","8.19.3","8.19.2","8.19.1","8.19.0","8.18.3","8.18.2","8.18.1","8.17.1","8.18.0","8.17.2","8.17.0","8.16.5","8.16.4","8.16.3","8.16.2","8.16.1","8.16.0","8.15.2","8.15.1","8.15.0","8.14.3","8.14.2","8.14.1","8.14.0","8.13.3","8.13.2","8.13.1","8.13.0","8.12.2","8.12.1","8.12.0","8.11.0","8.10.2","8.10.1","8.10.0","8.9.7","8.9.6","6.13.8","6.13.7","6.13.6","8.9.5","6.13.5","8.9.4","8.9.3","8.9.2","8.9.1","8.9.0","8.8.4","8.8.3","6.13.4","8.8.2","8.8.0","8.8.1","6.13.3","8.7.3","8.7.2","8.7.1","8.7.0","8.6.4","6.13.2","8.6.3","8.6.2","6.13.1","8.6.0","8.6.1","8.5.5","8.5.4","8.5.3","8.5.2","6.13.0","8.5.1","8.5.0","8.4.5","8.4.4","8.4.3","8.4.2","8.4.1","6.12.9","8.4.0","8.3.5","8.3.4","6.12.8","8.3.3","8.3.2","8.3.1","8.3.0","8.2.4","8.2.3","8.2.2","8.2.1","6.12.7","8.2.0","6.12.6","8.1.3","8.1.2","8.1.1","8.1.0","6.12.5","8.0.4","6.12.4","8.0.3","8.0.2","8.0.1","8.0.0","6.12.2","6.12.1","6.12.0","6.11.6","6.11.5","6.11.4","6.11.3","6.11.2","6.11.1","6.11.0","6.10.5","6.10.4","6.10.3","6.10.2","6.10.1","6.10.0","6.9.3","6.9.2","6.9.1","6.9.0","6.8.5","6.8.4","6.8.3","6.8.2","6.8.1","6.8.0","6.7.5","6.7.4","6.7.3","6.7.2","6.7.1","6.7.0","6.6.7","6.6.6","6.6.5","6.6.4","6.6.3","6.6.2","6.6.1","6.6.0","6.5.5","6.5.4","6.5.3","6.5.2","6.5.1","6.5.0","6.4.4","6.4.3","6.4.2","6.4.1","6.4.0","6.3.9","6.3.8","6.3.7","6.3.6","6.3.5","6.3.4","6.3.3","6.3.2","6.3.1","6.3.0","6.2.11","6.2.10","6.2.9","6.2.8","6.2.7","6.2.6","6.2.5","6.2.4","6.2.3","6.2.2","6.1.8","6.1.7","6.1.6","6.1.5","6.1.4","6.1.3","6.1.2","test","6.1.1","6.1.0","6.0.15","6.0.14","6.0.13","6.0.12","6.0.11","6.0.10","6.0.9","6.0.8","6.0.7","6.0.6","6.0.5","6.0.4","6.0.3","6.0.2","6.0.1","6.0.0","5.13.8","5.13.7","5.13.5","5.13.4","5.13.3","5.13.2","5.13.1","5.13.0","5.12.15","5.12.14","5.12.13","5.12.12","5.12.11","5.12.10","5.12.7","5.12.6","5.12.5","5.12.4","5.12.3","5.12.2","5.12.1","5.11.20","5.12.0","5.11.19","5.11.18","5.11.17","5.11.16","5.11.15","5.11.14","5.11.13","5.11.12","5.11.11","5.11.10","5.11.9","5.11.7","5.11.6","5.11.5","5.11.4","5.11.3","5.11.2","5.11.1","5.11.0","5.10.19","5.10.18","5.10.17","5.10.16","5.10.15","5.10.14","5.10.13","5.10.12","5.10.11","5.10.10","5.10.9","5.10.8","5.10.7","5.10.6","5.10.4","5.10.3","5.10.2","5.10.1","5.10.0","5.9.29","5.9.28","5.9.27","5.9.26","5.9.25","5.9.24","5.9.23","5.9.22","5.9.21","5.9.20","5.9.19","5.9.18","5.9.17","5.9.16","5.9.15","5.9.14","5.9.13","5.9.12","5.9.11","5.9.10","5.9.9","5.9.8","5.9.7","5.9.6","5.9.5","5.9.4","5.9.3","5.9.2","5.9.1","5.9.0","5.8.13","5.8.12","5.8.11","5.8.10","5.8.9","5.8.8","5.8.7","5.8.6","5.8.5","5.8.4","5.8.3","5.8.2","5.8.0","5.7.14","5.7.13","5.7.12","5.7.11","5.7.10","5.7.9","5.7.8","5.7.7","5.7.6","5.7.5","5.7.4","5.7.3","5.7.2","5.7.1","5.7.0","5.6.13","5.6.12","5.6.11","5.6.10","5.6.9","5.6.8","5.6.7","5.6.6","5.6.5","5.6.4","5.6.3","5.6.2","5.6.1","5.6.0","5.5.15","5.5.14","5.5.13","5.5.12","5.5.11","5.5.10","5.5.9","5.5.8","5.5.7","5.5.6","5.5.5","5.5.4","5.5.3","5.5.2","5.5.1","5.5.0","5.4.23","5.4.22","5.4.21","5.4.20","5.4.19","5.4.18","5.4.17","5.4.16","5.4.15","5.4.14","5.4.13","5.4.12","5.4.11","5.4.10","5.4.9","5.4.8","5.4.7","5.4.6","5.4.5","5.4.4","5.4.3","5.4.2","5.4.1","5.4.0","5.3.16","5.3.15","5.3.14","5.3.12","5.3.11","5.3.10","5.3.8","5.3.7","5.3.6","5.3.5","5.3.4","5.3.3","5.3.2","5.3.1","5.3.0","5.2.18","5.2.17","5.2.16","5.2.15","5.2.14","5.2.13","5.2.12","5.2.10","5.2.8","5.2.7","5.2.5","5.2.4","5.2.3","5.2.2","5.2.1","5.2.0","5.1.8","5.1.7","5.1.6","5.1.5","5.1.4","5.1.3","5.1.2","5.1.1","5.1.0","5.0.18","5.0.17","5.0.16","5.0.15","5.0.14","5.0.13","5.0.12","5.0.11","5.0.10","5.0.9","5.0.8","5.0.7","5.0.6","5.0.5","5.0.4","5.0.3","5.0.2","5.0.1","5.0.0","5.0.0-rc2","5.0.0-rc1","5.0.0-rc0","4.13.8","4.13.7","4.13.6","4.13.5","4.13.4","4.13.3","4.13.2","4.13.1","4.13.0","4.12.6","4.12.5","4.12.4","4.12.3","4.12.2","4.12.1","4.12.0","4.11.14","v4.11.13","4.11.13","4.11.12","4.11.11","4.11.9","4.11.8","4.11.7","4.11.6","4.11.5","4.11.4","4.11.3","4.11.2","4.11.1","4.11.0","4.10.8","4.10.7","4.10.6","4.10.5","4.10.4","4.10.3","4.10.2","4.10.1","4.10.0","4.9.10","4.9.9","4.9.8","4.9.7","4.9.6","4.9.5","4.9.4","4.9.3","4.9.2","4.9.1","4.9.0","4.8.7","4.8.6","4.8.5","4.8.4","4.8.3","4.8.2","4.8.1","4.8.0","4.7.9","4.7.8","4.7.7","4.7.6","4.7.5","4.7.4","4.7.3","4.7.2","4.7.1","4.7.0","4.6.8","4.6.7","4.6.6","4.6.5","4.6.4","4.6.3","4.6.2","4.6.1","4.6.0","4.5.9","4.5.8","4.5.7","4.5.6","4.5.5","4.5.4","4.5.3","4.5.2","4.5.1","4.5.0","4.4.20","4.4.19","4.4.18","4.4.17","4.4.16","4.4.15","4.4.14","4.4.13","4.4.12","4.4.11","4.4.10","4.4.9","4.4.8","4.4.7","4.4.6","4.4.5","4.4.4","4.4.3","4.4.2","4.4.1","4.4.0","4.3.7","4.3.6","4.3.5","4.3.4","4.3.3","4.3.2","4.3.1","4.3.0","4.2.9","4.2.10","4.2.8","4.2.7","4.2.6","4.1.11","4.2.5","4.2.4","4.2.3","4.2.1","4.2.0","4.1.12","4.1.10","4.1.9","4.1.8","4.1.7","4.1.6","4.1.3","4.1.5","4.1.4","4.1.2","4.1.1","4.1.0","4.0.8","4.0.7","4.0.6","4.0.5","4.0.4","4.0.3","4.0.2","4.0.1","4.0.0","4.0.0-rc4","4.0.0-rc3","4.0.0-rc2","4.0.0-rc1","4.0.0-rc0","3.9.7","3.9.6","3.9.5","3.9.4","3.9.3","3.9.2","3.9.1","3.9.0","3.8.1","3.8.0","3.7.4","3.7.3","3.7.2","3.6.2","3.6.1","3.6.0","3.6.0rc1","3.5.7","3.5.6","3.5.5","3.5.4","3.5.2","3.5.1","3.5.0","3.4.0","3.3.1","3.3.0","3.2.2","3.2.1","3.2.0","3.1.2","3.1.1","3.1.0","3.0.3","3.0.1","2.3.12","2.3.11","2.3.10","2.3.9","2.3.8","2.3.7","2.3.6","2.3.5","2.3.4","2.3.3","2.3.2","2.3.1","2.3.0","2.2.4","2.2.3","2.2.2","2.2.1","2.2.0","2.1.4","2.1.3","2.1.2","2.1.1","2.1.0","2.0.4","2.0.3","2.0.2","2.0.1","2.0.0","1.7.2","1.6.0","1.5.0","1.3.6","1.3.5","1.3.4","1.3.3","1.3.2","1.3.1","1.3.0","1.1.25","1.1.23","1.1.22","1.1.21","1.1.20","1.1.19","1.1.18","1.1.17","1.1.16","1.1.12","1.1.10","1.1.9","1.1.7","1.1.6","1.1.5","1.1.4","1.1.3","1.1.2","1.0.16","1.0.15","1.0.14","1.0.13","1.0.12","1.0.9","1.0.7","1.0.2","0.0.5","1.0.1","0.0.4","0.0.3","0.0.2","0.0.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42334.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}