CVE-2026-42334
Authentication bypass vulnerability in mongoose (npm)
What is CVE-2026-42334 About?
This vulnerability allows bypassing Mongoose's `sanitizeFilter` query sanitization mechanism via the `$nor` operator. Attackers can inject malicious operators, leading to authentication bypass, unauthorized data access, or data exfiltration. The exploitation difficulty is moderate for applications directly passing unsanitized user input into queries.
Affected Software
- mongoose
- <6.13.9
- >=8.0.0, <8.22.1
- >=7.0.0, <7.8.9
- >=9.0.0, <9.1.6
Technical Details
Mongoose's sanitizeFilter mechanism aims to prevent query injection by wrapping operators in $eq. However, the $nor logical operator was not included in the set of recursively sanitized operators. Since $nor accepts an array and arrays do not trigger hasDollarKeys(), an attacker can embed malicious operators (such as $ne, $gt, or $regex) inside a $nor clause. This allows these malicious operators to pass through sanitizeFilter un-sanitized when user-controlled input is passed directly to query methods like Model.findOne(req.body), bypassing the intended security controls and leading to unauthorized data manipulation or access.
What is the Impact of CVE-2026-42334?
Successful exploitation may allow attackers to bypass authentication, gain unauthorized access to data, or exfiltrate sensitive information from the database, leading to severe data compromise.
What is the Exploitability of CVE-2026-42334?
Exploitation requires an application to explicitly enable sanitizeFilter and pass unsanitized, user-controlled input directly into Mongoose query methods (e.g., Model.findOne(req.body)). No specific authentication is required if the vulnerable endpoint is public, and the attacker just needs to provide specially crafted input in the query. The attack is remote. The complexity is moderate, requiring knowledge of Mongoose's internal mechanisms and how sanitizeFilter operates. Applications that validate input schemas, whitelist fields, or avoid passing raw request bodies are not affected. The primary risk factor is developers relying solely on sanitizeFilter without additional input validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-42334?
Available Upgrade Options
- mongoose
- <6.13.9 → Upgrade to 6.13.9
- mongoose
- >=7.0.0, <7.8.9 → Upgrade to 7.8.9
- mongoose
- >=8.0.0, <8.22.1 → Upgrade to 8.22.1
- mongoose
- >=9.0.0, <9.1.6 → Upgrade to 9.1.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/Automattic/mongoose
- https://thecodebarbarian.com/whats-new-in-mongoose-6-sanitizefilter.html
- https://github.com/Automattic/mongoose/security/advisories/GHSA-wpg9-53fq-2r8h
- https://mongoosejs.com/docs/api/mongoose.html#Mongoose.prototype.sanitizeFilter()
- https://osv.dev/vulnerability/GHSA-wpg9-53fq-2r8h
What are Similar Vulnerabilities to CVE-2026-42334?
Similar Vulnerabilities: CVE-2022-2479 , CVE-2022-37599 , CVE-2023-26131 , CVE-2023-45133 , CVE-2023-46722
