Cataliniovita-Snyk

**Name of the Vulnerable Software and Affected Versions** Mongoose versions prior to 6.13.9 Mongoose versions prior to 7.8.9 Mongoose versions prior to 8.22.1 Mongoose versions prior to 9.1.6 **Description** A flaw in the `sanitizeFilter` query sanitization mechanism allows it to be bypassed using the `$nor` operator. When `sanitizeFilter` is active, Mongoose typically wraps query operators in `$eq` to neutralize them. However, `$nor` was not recursively sanitized. Since `$nor` accepts an array and arrays do not trigger the `hasDollarKeys()` function, malicious operators such as `$ne`, `$gt`, or `$regex` can be injected within a `$nor` clause. This can lead to authentication bypass, unauthorized data access, or data exfiltration in applications that pass unsanitized user-controlled input directly into query methods and rely on `sanitizeFilter` for protection. **Recommendations** Update to version 6.13.9 or later. Update to version 7.8.9 or later. Update to version 8.22.1 or later. Update to version 9.1.6 or later. As a temporary workaround, delete `$nor` keys, use an additional schema validation library, or implement middleware to strip `$nor` from query filters.

**Name of the Vulnerable Software and Affected Versions** Dify versions prior to 1.11.2 **Description** Dify, an open-source LLM app development platform, contains a stored cross-site scripting (XSS) issue when rendering Mermaid diagrams within chats. The issue stems from Dify’s default Mermaid configuration utilizing a `securityLevel` of `loose`, which permits the execution of potentially unsafe content. **Recommendations** Update to version 1.11.2 or later.