CVE-2026-42334

HIGH7.5EPSS 0.05%

Mongoose's Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection

Published: 5/5/2026Modified: 5/18/2026

Description

### Impact This vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the `$nor` operator. When sanitizeFilter is enabled, Mongoose wraps query operators in `$eq` to neutralize them. However, prior to the fix, `$nor` was not included in the set of logical operators that are recursively sanitized. Because `$nor` accepts an array (like `$and` and `$or`), and arrays do not trigger `hasDollarKeys()`, malicious operators such as `$ne`, `$gt`, or `$regex` could be injected inside a `$nor` clause without being sanitized. This may lead to: - Authentication bypass - Unauthorized data access - Data exfiltration **Affected users:** Applications that: - Explicitly enable sanitizeFilter - Pass unsanitized user-controlled input directly into query methods (e.g., `Model.findOne(req.body)`) and rely on `sanitizeFilter` to strip out query selectors Applications that validate input schemas, whitelist fields, or avoid passing raw request bodies into queries are not affected. For example, `Model.findOne({ user: req.body.user, pwd: req.body.pwd })` is not affected. ### Patches Patches have been released for all supported Mongoose release lines: - `^6.13.9` - `^7.8.9` - `^8.22.1` - `^9.1.6` ### Workarounds Delete `$nor` keys, use an additional schema validation library, or write middleware to strip out `$nor` from query filters. ### Resources sanitizeFilter documentation: https://mongoosejs.com/docs/api/mongoose.html#Mongoose.prototype.sanitizeFilter() Original blog post on sanitizeFilter: https://thecodebarbarian.com/whats-new-in-mongoose-6-sanitizefilter.html

Affected packages (2)

CVSS scores

SourceVersionSeverityVector
osvCVSS 3.1HIGH7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (5)