{"id":"GHSA-wpg9-53fq-2r8h","summary":"Mongoose's Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection","details":"### Impact\n\nThis vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the `$nor` operator.\n\nWhen sanitizeFilter is enabled, Mongoose wraps query operators in `$eq` to neutralize them. However, prior to the fix, `$nor` was not included in the set of logical operators that are recursively sanitized. Because `$nor` accepts an array (like `$and` and `$or`), and arrays do not trigger `hasDollarKeys()`, malicious operators such as `$ne`, `$gt`, or `$regex` could be injected inside a `$nor` clause without being sanitized.\n\nThis may lead to:\n\n- Authentication bypass\n- Unauthorized data access\n- Data exfiltration\n\n**Affected users:**\n\nApplications that:\n\n- Explicitly enable sanitizeFilter\n- Pass unsanitized user-controlled input directly into query methods (e.g., `Model.findOne(req.body)`) and rely on `sanitizeFilter` to strip out query selectors\n\nApplications that validate input schemas, whitelist fields, or avoid passing raw request bodies into queries are not affected. For example, `Model.findOne({ user: req.body.user, pwd: req.body.pwd })` is not affected.\n\n### Patches\n\nPatches have been released for all supported Mongoose release lines:\n\n- `^6.13.9`\n- `^7.8.9`\n- `^8.22.1`\n- `^9.1.6`   \n\n### Workarounds\n\nDelete `$nor` keys, use an additional schema validation library, or write middleware to strip out `$nor` from query filters.\n\n### Resources\n\nsanitizeFilter documentation: https://mongoosejs.com/docs/api/mongoose.html#Mongoose.prototype.sanitizeFilter()\n\nOriginal blog post on sanitizeFilter: https://thecodebarbarian.com/whats-new-in-mongoose-6-sanitizefilter.html","aliases":["BIT-mongoose-2026-42334","CVE-2026-42334"],"modified":"2026-05-18T08:11:23.589007268Z","published":"2026-05-05T21:48:06Z","database_specific":{"cwe_ids":["CWE-74"],"severity":"HIGH","github_reviewed":true,"nvd_published_at":"2026-05-14T18:16:47Z","github_reviewed_at":"2026-05-05T21:48:06Z"},"references":[{"type":"WEB","url":"https://github.com/Automattic/mongoose/security/advisories/GHSA-wpg9-53fq-2r8h"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42334"},{"type":"PACKAGE","url":"https://github.com/Automattic/mongoose"},{"type":"WEB","url":"https://mongoosejs.com/docs/api/mongoose.html#Mongoose.prototype.sanitizeFilter()"},{"type":"WEB","url":"https://thecodebarbarian.com/whats-new-in-mongoose-6-sanitizefilter.html"}],"affected":[{"package":{"name":"mongoose","ecosystem":"npm","purl":"pkg:npm/mongoose"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"6.13.9"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-wpg9-53fq-2r8h/GHSA-wpg9-53fq-2r8h.json"}},{"package":{"name":"mongoose","ecosystem":"npm","purl":"pkg:npm/mongoose"},"ranges":[{"type":"SEMVER","events":[{"introduced":"7.0.0"},{"fixed":"7.8.9"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-wpg9-53fq-2r8h/GHSA-wpg9-53fq-2r8h.json","last_known_affected_version_range":"\u003c= 7.8.8"}},{"package":{"name":"mongoose","ecosystem":"npm","purl":"pkg:npm/mongoose"},"ranges":[{"type":"SEMVER","events":[{"introduced":"8.0.0"},{"fixed":"8.22.1"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-wpg9-53fq-2r8h/GHSA-wpg9-53fq-2r8h.json","last_known_affected_version_range":"\u003c= 8.22.0"}},{"package":{"name":"mongoose","ecosystem":"npm","purl":"pkg:npm/mongoose"},"ranges":[{"type":"SEMVER","events":[{"introduced":"9.0.0"},{"fixed":"9.1.6"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-wpg9-53fq-2r8h/GHSA-wpg9-53fq-2r8h.json","last_known_affected_version_range":"\u003c= 9.1.5"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}