CVE Vulnerabilities

CVE-2026-42334

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Published: May 14, 2026 | Modified: May 15, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
root.io logo minimus.io logo echo.ai logo

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that are recursively sanitized. Because $nor accepts an array (like $and and $or), and arrays do not trigger hasDollarKeys(), malicious operators such as $ne, $gt, or $regex could be injected inside a $nor clause without being sanitized. This vulnerability is fixed in 6.13.9, 7.8.9, 8.22.1, and 9.1.6.

Weakness

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Affected Software

NameVendorStart VersionEnd Version
MongooseMongoosejs*6.13.9 (excluding)
MongooseMongoosejs7.0.0 (including)7.8.9 (excluding)
MongooseMongoosejs8.0.0 (including)8.22.1 (excluding)
MongooseMongoosejs9.0.0 (including)9.1.6 (excluding)

Potential Mitigations

References