Skip to content

mongoose-5.13.23.tgz: 4 vulnerabilities (highest severity is: 9.1) #42

Description

@mend-bolt-for-github
Vulnerable Library - mongoose-5.13.23.tgz

Mongoose MongoDB ODM

Library home page: https://registry.npmjs.org/mongoose/-/mongoose-5.13.23.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/mongoose/package.json,/token-incentive-system/node_modules/mongoose/package.json

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (mongoose version) Remediation Possible**
CVE-2024-53900 Critical 9.1 mongoose-5.13.23.tgz Direct mongoose - 6.13.5,7.8.3,8.8.3
CVE-2025-23061 Critical 9.0 mongoose-5.13.23.tgz Direct mongoose - 6.13.6,7.8.4,8.9.5
CVE-2026-42334 High 7.5 mongoose-5.13.23.tgz Direct 6.13.9
CVE-2025-2306 Medium 5.9 mongoose-5.13.23.tgz Direct mongoose -6.13.6,7.8.4,8.9.5

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-53900

Vulnerable Library - mongoose-5.13.23.tgz

Mongoose MongoDB ODM

Library home page: https://registry.npmjs.org/mongoose/-/mongoose-5.13.23.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/mongoose/package.json,/token-incentive-system/node_modules/mongoose/package.json

Dependency Hierarchy:

  • mongoose-5.13.23.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.

Publish Date: 2024-12-02

URL: CVE-2024-53900

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-53900

Release Date: 2024-12-02

Fix Resolution: mongoose - 6.13.5,7.8.3,8.8.3

Step up your Open Source Security Game with Mend here

CVE-2025-23061

Vulnerable Library - mongoose-5.13.23.tgz

Mongoose MongoDB ODM

Library home page: https://registry.npmjs.org/mongoose/-/mongoose-5.13.23.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/mongoose/package.json,/token-incentive-system/node_modules/mongoose/package.json

Dependency Hierarchy:

  • mongoose-5.13.23.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

Publish Date: 2025-01-15

URL: CVE-2025-23061

CVSS 3 Score Details (9.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-01-15

Fix Resolution: mongoose - 6.13.6,7.8.4,8.9.5

Step up your Open Source Security Game with Mend here

CVE-2026-42334

Vulnerable Library - mongoose-5.13.23.tgz

Mongoose MongoDB ODM

Library home page: https://registry.npmjs.org/mongoose/-/mongoose-5.13.23.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/mongoose/package.json,/token-incentive-system/node_modules/mongoose/package.json

Dependency Hierarchy:

  • mongoose-5.13.23.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that are recursively sanitized. Because $nor accepts an array (like $and and $or), and arrays do not trigger hasDollarKeys(), malicious operators such as $ne, $gt, or $regex could be injected inside a $nor clause without being sanitized. This vulnerability is fixed in 6.13.9, 7.8.9, 8.22.1, and 9.1.6.

Publish Date: 2026-05-14

URL: CVE-2026-42334

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wpg9-53fq-2r8h

Release Date: 2026-05-06

Fix Resolution: 6.13.9

Step up your Open Source Security Game with Mend here

CVE-2025-2306

Vulnerable Library - mongoose-5.13.23.tgz

Mongoose MongoDB ODM

Library home page: https://registry.npmjs.org/mongoose/-/mongoose-5.13.23.tgz

Path to dependency file: /ar-vr-experience/package.json

Path to vulnerable library: /ar-vr-experience/node_modules/mongoose/package.json,/token-incentive-system/node_modules/mongoose/package.json

Dependency Hierarchy:

  • mongoose-5.13.23.tgz (Vulnerable Library)

Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082

Found in base branch: main

Vulnerability Details

An Improper Access Control vulnerability was
identified in the file download functionality. This vulnerability allows users
to download sensitive documents without authentication, if the URL is known.
The attack
requires the attacker to know the documents UUIDv4.

Publish Date: 2025-05-16

URL: CVE-2025-2306

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://securityonline.info/cve-2025-2306-cvss-9-0-mongoose-flaw-leaves-millions-of-downloads-exposed-to-search-injection/

Release Date: 2025-01-18

Fix Resolution: mongoose -6.13.6,7.8.4,8.9.5

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions