CVE-2026-42334

Name of the Vulnerable Software and Affected Versions Mongoose versions prior to 6.13.9 Mongoose versions prior to 7.8.9 Mongoose versions prior to 8.22.1 Mongoose versions prior to 9.1.6

Description A flaw in the sanitizeFilter query sanitization mechanism allows it to be bypassed using the $nor operator. When sanitizeFilter is active, Mongoose typically wraps query operators in $eq to neutralize them. However, $nor was not recursively sanitized. Since $nor accepts an array and arrays do not trigger the hasDollarKeys() function, malicious operators such as $ne, $gt, or $regex can be injected within a $nor clause. This can lead to authentication bypass, unauthorized data access, or data exfiltration in applications that pass unsanitized user-controlled input directly into query methods and rely on sanitizeFilter for protection.

Recommendations Update to version 6.13.9 or later. Update to version 7.8.9 or later. Update to version 8.22.1 or later. Update to version 9.1.6 or later. As a temporary workaround, delete $nor keys, use an additional schema validation library, or implement middleware to strip $nor from query filters.