OR
          *cpe:2.3:a:mongoosejs:mongoose:*:*:*:*:*:node.js:*:* versions up to (excluding) 6.13.9
          *cpe:2.3:a:mongoosejs:mongoose:*:*:*:*:*:node.js:*:* versions from (including) 7.0.0 up to (excluding) 7.8.9
          *cpe:2.3:a:mongoosejs:mongoose:*:*:*:*:*:node.js:*:* versions from (including) 8.0.0 up to (excluding) 8.22.1
          *cpe:2.3:a:mongoosejs:mongoose:*:*:*:*:*:node.js:*:* versions from (including) 9.0.0 up to (excluding) 9.1.6

GitHub, Inc.: https://github.com/Automattic/mongoose/security/advisories/GHSA-wpg9-53fq-2r8h Types: Mitigation, Vendor Advisory

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that are recursively sanitized. Because $nor accepts an array (like $and and $or), and arrays do not trigger hasDollarKeys(), malicious operators such as $ne, $gt, or $regex could be injected inside a $nor clause without being sanitized. This vulnerability is fixed in 6.13.9, 7.8.9, 8.22.1, and 9.1.6.

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-74

https://github.com/Automattic/mongoose/security/advisories/GHSA-wpg9-53fq-2r8h