Vulnerable Library - mongoose-5.13.23.tgz
Mongoose MongoDB ODM
Library home page: https://registry.npmjs.org/mongoose/-/mongoose-5.13.23.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/mongoose/package.json,/token-incentive-system/node_modules/mongoose/package.json
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Vulnerabilities
| Vulnerability |
Severity |
CVSS |
Dependency |
Type |
Fixed in (mongoose version) |
Remediation Possible** |
| CVE-2024-53900 |
Critical |
9.1 |
mongoose-5.13.23.tgz |
Direct |
mongoose - 6.13.5,7.8.3,8.8.3 |
❌ |
| CVE-2025-23061 |
Critical |
9.0 |
mongoose-5.13.23.tgz |
Direct |
mongoose - 6.13.6,7.8.4,8.9.5 |
❌ |
| CVE-2026-42334 |
High |
7.5 |
mongoose-5.13.23.tgz |
Direct |
6.13.9 |
❌ |
| CVE-2025-2306 |
Medium |
5.9 |
mongoose-5.13.23.tgz |
Direct |
mongoose -6.13.6,7.8.4,8.9.5 |
❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-53900
Vulnerable Library - mongoose-5.13.23.tgz
Mongoose MongoDB ODM
Library home page: https://registry.npmjs.org/mongoose/-/mongoose-5.13.23.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/mongoose/package.json,/token-incentive-system/node_modules/mongoose/package.json
Dependency Hierarchy:
- ❌ mongoose-5.13.23.tgz (Vulnerable Library)
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.
Publish Date: 2024-12-02
URL: CVE-2024-53900
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-53900
Release Date: 2024-12-02
Fix Resolution: mongoose - 6.13.5,7.8.3,8.8.3
Step up your Open Source Security Game with Mend here
CVE-2025-23061
Vulnerable Library - mongoose-5.13.23.tgz
Mongoose MongoDB ODM
Library home page: https://registry.npmjs.org/mongoose/-/mongoose-5.13.23.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/mongoose/package.json,/token-incentive-system/node_modules/mongoose/package.json
Dependency Hierarchy:
- ❌ mongoose-5.13.23.tgz (Vulnerable Library)
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.
Publish Date: 2025-01-15
URL: CVE-2025-23061
CVSS 3 Score Details (9.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-01-15
Fix Resolution: mongoose - 6.13.6,7.8.4,8.9.5
Step up your Open Source Security Game with Mend here
CVE-2026-42334
Vulnerable Library - mongoose-5.13.23.tgz
Mongoose MongoDB ODM
Library home page: https://registry.npmjs.org/mongoose/-/mongoose-5.13.23.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/mongoose/package.json,/token-incentive-system/node_modules/mongoose/package.json
Dependency Hierarchy:
- ❌ mongoose-5.13.23.tgz (Vulnerable Library)
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that are recursively sanitized. Because $nor accepts an array (like $and and $or), and arrays do not trigger hasDollarKeys(), malicious operators such as $ne, $gt, or $regex could be injected inside a $nor clause without being sanitized. This vulnerability is fixed in 6.13.9, 7.8.9, 8.22.1, and 9.1.6.
Publish Date: 2026-05-14
URL: CVE-2026-42334
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-wpg9-53fq-2r8h
Release Date: 2026-05-06
Fix Resolution: 6.13.9
Step up your Open Source Security Game with Mend here
CVE-2025-2306
Vulnerable Library - mongoose-5.13.23.tgz
Mongoose MongoDB ODM
Library home page: https://registry.npmjs.org/mongoose/-/mongoose-5.13.23.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/mongoose/package.json,/token-incentive-system/node_modules/mongoose/package.json
Dependency Hierarchy:
- ❌ mongoose-5.13.23.tgz (Vulnerable Library)
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
An Improper Access Control vulnerability was
identified in the file download functionality. This vulnerability allows users
to download sensitive documents without authentication, if the URL is known.
The attack
requires the attacker to know the documents UUIDv4.
Publish Date: 2025-05-16
URL: CVE-2025-2306
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://securityonline.info/cve-2025-2306-cvss-9-0-mongoose-flaw-leaves-millions-of-downloads-exposed-to-search-injection/
Release Date: 2025-01-18
Fix Resolution: mongoose -6.13.6,7.8.4,8.9.5
Step up your Open Source Security Game with Mend here
Mongoose MongoDB ODM
Library home page: https://registry.npmjs.org/mongoose/-/mongoose-5.13.23.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/mongoose/package.json,/token-incentive-system/node_modules/mongoose/package.json
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - mongoose-5.13.23.tgz
Mongoose MongoDB ODM
Library home page: https://registry.npmjs.org/mongoose/-/mongoose-5.13.23.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/mongoose/package.json,/token-incentive-system/node_modules/mongoose/package.json
Dependency Hierarchy:
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.
Publish Date: 2024-12-02
URL: CVE-2024-53900
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-53900
Release Date: 2024-12-02
Fix Resolution: mongoose - 6.13.5,7.8.3,8.8.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - mongoose-5.13.23.tgz
Mongoose MongoDB ODM
Library home page: https://registry.npmjs.org/mongoose/-/mongoose-5.13.23.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/mongoose/package.json,/token-incentive-system/node_modules/mongoose/package.json
Dependency Hierarchy:
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.
Publish Date: 2025-01-15
URL: CVE-2025-23061
CVSS 3 Score Details (9.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-01-15
Fix Resolution: mongoose - 6.13.6,7.8.4,8.9.5
Step up your Open Source Security Game with Mend here
Vulnerable Library - mongoose-5.13.23.tgz
Mongoose MongoDB ODM
Library home page: https://registry.npmjs.org/mongoose/-/mongoose-5.13.23.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/mongoose/package.json,/token-incentive-system/node_modules/mongoose/package.json
Dependency Hierarchy:
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that are recursively sanitized. Because $nor accepts an array (like $and and $or), and arrays do not trigger hasDollarKeys(), malicious operators such as $ne, $gt, or $regex could be injected inside a $nor clause without being sanitized. This vulnerability is fixed in 6.13.9, 7.8.9, 8.22.1, and 9.1.6.
Publish Date: 2026-05-14
URL: CVE-2026-42334
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-wpg9-53fq-2r8h
Release Date: 2026-05-06
Fix Resolution: 6.13.9
Step up your Open Source Security Game with Mend here
Vulnerable Library - mongoose-5.13.23.tgz
Mongoose MongoDB ODM
Library home page: https://registry.npmjs.org/mongoose/-/mongoose-5.13.23.tgz
Path to dependency file: /ar-vr-experience/package.json
Path to vulnerable library: /ar-vr-experience/node_modules/mongoose/package.json,/token-incentive-system/node_modules/mongoose/package.json
Dependency Hierarchy:
Found in HEAD commit: a2ed13ef7f5dce613f19af695433a78d5b7ea082
Found in base branch: main
Vulnerability Details
An Improper Access Control vulnerability was
identified in the file download functionality. This vulnerability allows users
to download sensitive documents without authentication, if the URL is known.
The attack
requires the attacker to know the documents UUIDv4.
Publish Date: 2025-05-16
URL: CVE-2025-2306
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://securityonline.info/cve-2025-2306-cvss-9-0-mongoose-flaw-leaves-millions-of-downloads-exposed-to-search-injection/
Release Date: 2025-01-18
Fix Resolution: mongoose -6.13.6,7.8.4,8.9.5
Step up your Open Source Security Game with Mend here