{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/mongoose/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["mongoose \u003c 6.13.9","mongoose \u003e= 7.0.0, \u003c= 7.8.8","mongoose \u003e= 8.0.0, \u003c= 8.22.0","mongoose \u003e= 9.0.0, \u003c= 9.1.5"],"_cs_severities":["high"],"_cs_tags":["nosql-injection","mongoose","sanitizeFilter"],"_cs_type":"advisory","_cs_vendors":["Mongoose"],"content_html":"\u003cp\u003eMongoose, a MongoDB object modeling tool designed to work in an asynchronous environment, is susceptible to a NoSQL injection vulnerability. Specifically, the \u003ccode\u003esanitizeFilter\u003c/code\u003e function fails to properly sanitize the \u003ccode\u003e$nor\u003c/code\u003e operator, leading to potential bypass of query sanitization mechanisms. This issue affects Mongoose versions prior to 6.13.9, versions between 7.0.0 and 7.8.8, versions between 8.0.0 and 8.22.0, and versions between 9.0.0 and 9.1.5. Successful exploitation could lead to unauthorized data access, authentication bypass, and data exfiltration. Defenders should prioritize patching or implementing workarounds to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an application using a vulnerable version of Mongoose with \u003ccode\u003esanitizeFilter\u003c/code\u003e enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing a \u003ccode\u003e$nor\u003c/code\u003e operator with an embedded, unsanitized operator (e.g., \u003ccode\u003e$ne\u003c/code\u003e, \u003ccode\u003e$gt\u003c/code\u003e, or \u003ccode\u003e$regex\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious payload into a user-controlled input field, such as a search parameter or login field.\u003c/li\u003e\n\u003cli\u003eThe application passes the unsanitized input directly to a Mongoose query method (e.g., \u003ccode\u003eModel.findOne(req.body)\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMongoose\u0026rsquo;s \u003ccode\u003esanitizeFilter\u003c/code\u003e function fails to properly sanitize the \u003ccode\u003e$nor\u003c/code\u003e operator, allowing the malicious operator to bypass sanitization.\u003c/li\u003e\n\u003cli\u003eThe malicious operator is executed against the MongoDB database.\u003c/li\u003e\n\u003cli\u003eThe attacker bypasses authentication, gains unauthorized data access, or exfiltrates sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to significant impact, including authentication bypass, where attackers can gain access to user accounts without proper credentials. Unauthorized data access allows attackers to view and modify sensitive data that they should not have access to. Data exfiltration enables attackers to steal confidential information from the database. Organizations using vulnerable versions of Mongoose are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Mongoose version 6.13.9 or later, 7.8.9 or later, 8.22.1 or later, or 9.1.6 or later to patch the vulnerability as described in \u003ca href=\"https://github.com/advisories/GHSA-wpg9-53fq-2r8h\"\u003eGHSA-wpg9-53fq-2r8h\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect the use of \u003ccode\u003e$nor\u003c/code\u003e in query parameters to \u003ccode\u003ewebserver\u003c/code\u003e logs and tune for your environment.\u003c/li\u003e\n\u003cli\u003eImplement a workaround by deleting \u003ccode\u003e$nor\u003c/code\u003e keys or using an additional schema validation library as recommended in \u003ca href=\"https://github.com/advisories/GHSA-wpg9-53fq-2r8h\"\u003eGHSA-wpg9-53fq-2r8h\u003c/a\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-05T21:49:23Z","date_published":"2026-05-05T21:49:23Z","id":"/briefs/2026-05-mongoose-nosql-injection/","summary":"Mongoose versions before 6.13.9, versions 7.0.0 through 7.8.8, versions 8.0.0 through 8.22.0, and versions 9.0.0 through 9.1.5 are vulnerable to NoSQL injection due to improper sanitization of the $nor operator, potentially allowing attackers to bypass query sanitization and exfiltrate data.","title":"Mongoose NoSQL Injection Vulnerability via $nor Operator","url":"https://feed.craftedsignal.io/briefs/2026-05-mongoose-nosql-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Mongoose","version":"https://jsonfeed.org/version/1.1"}