CVE-2026-42334
Mongoose's Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection
Description
### Impact This vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the `$nor` operator. When sanitizeFilter is enabled, Mongoose wraps query operators in `$eq` to neutralize them. However, prior to the fix, `$nor` was not included in the set of logical operators that are recursively sanitized. Because `$nor` accepts an array (like `$and` and `$or`), and arrays do not trigger `hasDollarKeys()`, malicious operators such as `$ne`, `$gt`, or `$regex` could be injected inside a `$nor` clause without being sanitized. This may lead to: - Authentication bypass - Unauthorized data access - Data exfiltration **Affected users:** Applications that: - Explicitly enable sanitizeFilter - Pass unsanitized user-controlled input directly into query methods (e.g., `Model.findOne(req.body)`) and rely on `sanitizeFilter` to strip out query selectors Applications that validate input schemas, whitelist fields, or avoid passing raw request bodies into queries are not affected. For example, `Model.findOne({ user: req.body.user, pwd: req.body.pwd })` is not affected. ### Patches Patches have been released for all supported Mongoose release lines: - `^6.13.9` - `^7.8.9` - `^8.22.1` - `^9.1.6` ### Workarounds Delete `$nor` keys, use an additional schema validation library, or write middleware to strip out `$nor` from query filters. ### Resources sanitizeFilter documentation: https://mongoosejs.com/docs/api/mongoose.html#Mongoose.prototype.sanitizeFilter() Original blog post on sanitizeFilter: https://thecodebarbarian.com/whats-new-in-mongoose-6-sanitizefilter.html
How to fix CVE-2026-42334
To remediate CVE-2026-42334, upgrade the affected package to a fixed version below.
- —upgrade to 6.13.9 or later
- —upgrade to 6.13.9 or later
Is CVE-2026-42334 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.