chore(deps): update dependency mongoose to v8.22.1 [security]#2731

Open

renovate[bot] wants to merge 1 commit into

renovate/npm-mongoose-vulnerability

Contributor

renovate Bot commented May 7, 2026 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Confidence
mongoose (source)	`8.10.1` → `8.22.1`

Mongoose's Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection

CVE-2026-42334 / GHSA-wpg9-53fq-2r8h

More information

Details

Impact

This vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator.

When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that are recursively sanitized. Because $nor accepts an array (like $and and $or), and arrays do not trigger hasDollarKeys(), malicious operators such as $ne, $gt, or $regex could be injected inside a $nor clause without being sanitized.

This may lead to:

Authentication bypass
Unauthorized data access
Data exfiltration

Affected users:

Applications that:

Explicitly enable sanitizeFilter
Pass unsanitized user-controlled input directly into query methods (e.g., Model.findOne(req.body)) and rely on sanitizeFilter to strip out query selectors

Applications that validate input schemas, whitelist fields, or avoid passing raw request bodies into queries are not affected. For example, Model.findOne({ user: req.body.user, pwd: req.body.pwd }) is not affected.

Patches

Patches have been released for all supported Mongoose release lines:

^6.13.9
^7.8.9
^8.22.1
^9.1.6

Workarounds

Delete $nor keys, use an additional schema validation library, or write middleware to strip out $nor from query filters.

Resources

sanitizeFilter documentation: https://mongoosejs.com/docs/api/mongoose.html#Mongoose.prototype.sanitizeFilter()

Original blog post on sanitizeFilter: https://thecodebarbarian.com/whats-new-in-mongoose-6-sanitizefilter.html

Severity

CVSS Score: 7.5 / 10 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

Automattic/mongoose (mongoose)

`v8.22.1`

==================

fix: handle other top-level query operators in sanitizeFilter
fix(document): when cloning a doc with subdocs, make sure the subdocs parent is the cloned doc #15904 #15901
types(models): support Mongoose query casting in AnyBulkWriteOperation filter property #15910
types: add toBSON() to documents #15927

`v8.22.0`

8.22.0 / 2026-01-27

feat(model): allow passing strict option to hydrate() #15944 #15940

`v8.21.1`

===================

fix(clone): fix parent doc for map subdocuments and array subdocuments #15958 AbdelrahmanHafez
fix(document): when cloning a doc with subdocs, make sure the subdocs parent is the cloned doc #15904 #15901
fix: respect currentTime schema option in bulkWrite updates #15976 sderrow
types(models): support Mongoose query casting in AnyBulkWriteOperation filter property #15910
types: add toBSON() to documents #15927

`v8.21.0`

===================

feat(document+model): pass options to pre('deleteOne') and update+options to pre('updateOne') hooks #15908 #15870
feat(document): add support for getAtomics() to allow custom container types to utilize atomics #15817
fix: add support for typescript style enums #15914 #15913 mjfwebb

`v8.20.4`

===================

fix(model): ensure $isDeleted is set after calling doc.deleteOne() successfully #15898
fix(document): use bitwise OR to accumulate version mode flags #15893 #15888 AbdelrahmanHafez

`v8.20.3`

===================

perf: use Object.hasOwn instead of Object#hasOwnProperty #15875 AbdelrahmanHafez
fix: improve error when calling Document.prototype.init() with null/undefined #15812 Vegapunk-debug
types(schema): avoid treating paths with default: null as required #15889
types(schema): allow partial statics to schema.statics() #15780

`v8.20.2`

===================

fix(model): bump version if necessary after successful bulkSave() #15809 #15800
fix(bulkWrite): pass overwriteImmutable option to castUpdate fixes #15789 #15782 #15781
types(schema): allow calling schema.static() with as TStatics #15794 #15780

`v8.20.1`

===================

types: correct Model.schema type and fix unknown check for this param type in schema.methods #15750 #15693
docs: add detailed loadClass() TypeScript usage guide #15731 #12813 Necro-Rohan
docs: update version support documentation for Mongoose #15761 ManmathX
docs: add copy-to-clipboard feature for code blocks in docs #15759 vedansha07

`v8.20.0`

===================

feat: cast id parameter based on schema _id type in DocumentArray.id() #15733 #15725 #15724 Lex-Ashu
fix: pass parent schema to SchemaType constructors in interpretAsType to make implementing custom container types easier #15700
types(models): default _id type to ObjectId for Document #15688 Catwallon
docs: add FAQ entry about DivergentArrayError #15743 Mario5T
docs: update browser.md with Mongoose limitations #15744 YashSharma64
chore: add benchmark for large nested array documents (related to #9588) #15742 Kundan-CR7

`v8.19.4`

===================

fix(schema): avoid throwing error on array of unions #15720 #15718
fix: store original index on insertMany validation errors #15735 Jadu07
types: correct return type of discriminator to Model #15726 twentytwo777
docs: improve Next.js integration guide with comprehensive examples #15730 adarsh-priydarshi-5646
docs: add documentation for Union Schema Type #15721 TechGenie-awake
docs: removed the outdated callback and replaced them with async/await pattern #15723 hk2166
docs: fix lingering remove() call in statics docs #15737 Gautam-Bharadwaj
docs: fix inline doc typo in schematypes.d.ts #15738 hagid786

`v8.19.3`

===================

fix(model+plugins): correctly apply shard key on deleteOne() #15705 #15701
fix(schema): correctly cache text indexes as 'text' not 1 #15695
types: make inferRawDocType correctly infer empty array type [] as any[] #15704 #15699

`v8.19.2`

===================

perf(setDefaultsOnInsert): avoid computing all modified paths when running setDefaultsOnInsert and update validators, only calculate if there are defaults to set #15691 #15672
fix: correct handling of relative vs absolute paths with maps and subdocuments #15682 #15678 #15350
ci: add publish script with provenance #15684 #15680

`v8.19.1`

===================

perf: avoid getting all modified paths in update when checking if versionKey needs to be set #15677 #15672
perf: Avoid needless path translation #15679 orgads
fix(query): throw error if using update operator with modifier and no path #15670 #15642
types: avoid making FilterQuery a conditional type because of how typescript handles distributed conditional unions #15676 #15671
docs: update installation instructions #15675 aalok-y

`v8.19.0`

===================

feat: upgrade mongodb driver to 6.20.0 #15651 #15656
feat(model): add virtuals option to Model.hydrate() to set virtuals #15638 #15627
fix(schema): handle casting array filters underneath maps of Mixed #15655 #15653
types: optimize InferRawDocType #15588 ssalbdivad
types(schema): add lean schema option to TypeScript types #15646 #15583 #10090

`v8.18.3`

===================

fix(update): avoid throwing error if update has a top-level $addToSet with no path #15648 #15642
types(query): allow passing arbitrary options #15644 #15643
docs(connection+mongoose): correct mongodb option name user -> username #15650 #15647
test: add tests covering vector search and text search using Atlas CLI #15649 #15645

`v8.18.2`

===================

fix(document): prevent $clone() from converting mongoose arrays into vanilla arrays #15633 #15625
fix(connection): use correct collection name for model when using useConnection() #15637
fix(connection): propagate changes to _lastHeartbeatAt to useDb() child connections #15640 #15635
types: fix schema property type definition in SchemaType #15631

`v8.18.1`

===================

types: correct type inference for maps of maps #15602
types(model): copy base model statics onto discriminator model #15623 #15600
types: fix types for a string of enums #15605 ruiaraujo
types(SchemaOptions): disallow versionKey: true, which fails at runtime #15606
docs(typescript): add example explaining how to use query helper overrides for handling lean() #15622 #15601
docs(transactions): add note about nested transactions #15624

`v8.18.0`

===================

feat(schema): support for union types #15574 #10894
fix: trim long strings in minLength and maxLength error messages and display the string length #15571 #15550
types(connection+collection): make BaseCollection and BaseConnection usable as values #15575 #15548
types: remove logic that omits timestamps when virtuals, methods, etc. options set #15577 #12807

`v8.17.2`

===================

fix: avoid Model.validate() hanging when all paths fail casting #15580 #15579 piotracalski
types(document): better support for flattenObjectIds and versionKey options for toObject() and toJSON() #15582 #15578
docs: fix docs jsdoc tags and add UUID to be listed #15585
docs(document): fix code sample that errors with "Cannot set properties of undefined" #15589

`v8.17.1`

===================

fix(query): propagate read preference and read concern to populate if read() called after populate() #15567 #15553
fix(model): call correct function in autoSearchIndex #15569 #15565
fix(model): allow setting statics option on discriminator schema #15568 #15556
fix(model): remove unnecessary conversion of undefined -> null in findById #15566 #15551
types: allow passing in projections without as const #15564 #15557
types: support maxLength and minLength in SchemaTypeOptions #15570 #4720

`v8.17.0`

===================

feat: upgrade mongodb -> 6.18.0 #15552
feat(mongoose): export base Connection and Collection classes #15548
feat: make Schema.prototype.$conditionalHandlers public #15497
types: automatically infer discriminator type #15547 #15535
types: make versionKey: false disable __v from hydrated document #15524 #15511
types: indicate support for mongodb abort #15549 GalacticHypernova
types: add options property to schemas #15524
types(schematype): make defaultOptions static and add schemaOptions to DocumentArray #15529 #15524

`v8.16.5`

===================

fix(map): avoid throwing required error if saving map of primitives with required: true #15542
types(model): export MongooseBulkWriteResult type #15546
types(connection): add base to connection type #15544

`v8.16.4`

===================

fix(connection): avoid calling connection.close() internally with force: Object #15534 #15531
types(schema): handle required: string in schema definitions #15538 #15536
types(document): allow calling $isDefault() with no args #15528 #15522
types: infer Typescript string enums #15530 ruiaraujo
types: pass TModelType down to schema statics #15537

`v8.16.3`

===================

fix(document): clean modified subpaths if unsetting map #15520 #15519
fix: make DocumentArray SchemaType pass all options to embedded SchemaType #15523
types: support readonly array in query.select #15527 omermizr

`v8.16.2`

===================

fix(cursor): populate after hydrating in queryCursor so populated docs get parent() #15498 #15494
fix(schema): support toJSONSchema() on mixed types and improve error message about unsupported types #15492 #15489
types: add _id and __v to toObject/toJSON transform type #15501 #15479
types(schema): use user-provided THydratedDocumentType as context for virtual get() and set() #15517 #15516
types: improve typing for transform option to toJSON and toObject #15485
docs: link to custom setter docs from lowercase, etc. options and note that setters run on query filters #15493 #15491
docs(jest): add note about resetModules #15515

`v8.16.1`

===================

fix(document): avoid setting _skipMarkModified when setting nested path with merge option #15484 #11913
fix(model): make sure post save error handler gets doc as param on VersionError #15483 #15480
fix: consistent $conditionalHandlers setup between schematypes #15490
docs(compatibility): note that mongodb 4.0 is not supported anymore since 8.16.0 #15487 hasezoey
docs: remove unnecessary --save flag from npm install instruction #15486 Thahirgeek

`v8.16.0`

===================

feat(model): add Model.createSearchIndexes() #15470 #15465
feat: upgrade MongoDB driver -> 6.17.0 #15468 gmstavros

`v8.15.2`

===================

fix(document+schema): improve handling for setting paths underneath maps, including maps of maps #15477 #15461
fix: report default paths in VersionError message because they can can cause VersionError #15464
fix(updateValidators): ensure update validators only call validators underneath single nested paths once #15446 #15436
fix: fix validation for deeply nested maps of subdocuments #15469 #15447 AbdelrahmanHafez
fix(DocumentArray): correctly set parent if instantiated with schema from another Mongoose instance #15471 #15466
types(model): use ProjectionType for Model.hydrate() #15447 #15443

`v8.15.1`

===================

types: correct handling of _id in ProjectionType #15432 #15418
types: fix definition of VectorSearch.$vectorSearch #15429 chriskrycho
docs: add Document#save to list of function with callbacks removed #15433 SethFalco

`v8.15.0`

===================

feat: CSFLE support #15390 baileympearson
feat: add strictFilter option to findOneAndUpdate (#14913) #15402 #14913 muazahmed-dev
feat(error): set cause to MongoDB error reason on ServerSelection errors #15420 #15416
fix(model): make bulkSave() rely on document.validateSync() to validate docs and skip bulkWrite casting #15415 #15410
types: stricter projection typing with 1-level deep nesting #15418 #15327 #13840 pshaddel
docs: emphasize automatic type inference in TypeScript intro and statics/methods, remove duplicated statics.md #15421

`v8.14.3`

===================

types(schema): allow post('init') #15413 #15412 #15333
types: fix signature of DocumentArray.id #15414 Sainan
docs: fix typo - change 'prodecure' to 'procedure' #15419 0xEbrahim

`v8.14.2`

===================

fix(query): handle casting array filter paths underneath array filter paths with embedded discriminators #15388 #15386
docs(typescript): correct schema and model generic params in TS virtuals docs #15391
docs+types(schema): add alternative optimisticConcurrency syntaxes to docs + types #15405 #10591
chore: add Node 24 to CI matrix #15408 stscoundrel

`v8.14.1`

===================

fix: correct change tracking with maps of arrays of primitives and maps of maps #15374 #15350
fix(populate): consistently convert Buffer representation of UUID to hex string to avoid confusing populate assignment #15383 #15382
docs: add TypeScript Query guide with info on lean() + transform() #15377 #15311

`v8.14.0`

===================

feat: upgrade MongoDB driver -> 6.16 #15371
feat: implement Query findById methods #15337 sderrow
feat(subdocument): support schematype-level minimize option to disable minimizing empty subdocuments #15336 #15313
feat: add skipOriginalStackTraces option to avoid stack trace performance overhead #15345 #15194
fix(model): disallow Model.findOneAndUpdate(update) and fix TypeScript types re: findOneAndUpdate #15365 #15363
types: correctly recurse in InferRawDocType #15357 #14954 JavaScriptBach
types: include virtuals in toJSON and toObject output if virtuals: true set #15346 #15316
types: make init hooks types accurately reflect runtime behavior #15331 #15301

`v8.13.3`

===================

fix: export MongooseBulkSaveIncompleteError #15370 #15369
fix: clone POJOs and arrays when casting query filter to avoid mutating objects #15367 #15364
types(connection): add Connection.prototype.bulkWrite() to types #15368 #15359
docs: add version requirements to v7 migration docs #15361 SethFalco
docs: update links in deleteOne & deleteMany API def #15360 Elliot67
docs: adds Model#count to list of fns callback removed from #15349 SethFalco

`v8.13.2`

===================

fix: avoid double calling validators on paths in document arrays underneath subdocuments #15338 #15335

`v8.13.1`

===================

fix(populate): handle virtual populate on array of UUIDs #15329 #15315
types: allow default function returning undefined with DocType override #15328

`v8.13.0`

===================

feat: bump mongodb driver -> 6.15.0
feat: support custom types exported from driver #15321

`v8.12.2`

===================

fix(document): avoid stripping out fields in discriminator schema after select: false field #15322 #15308
fix(AggregationCursor): make next() error if schema pre('aggregate') middleware throws error #15293 #15279
fix(populate): correctly get schematypes when deep populating under a map #15302 #9359
fix(model): avoid returning null from bulkSave() if error doesn't have writeErrors property #15323
types: add WithTimestamps utility type #15318 baruchiro
docs: update references to the ms module in date schema documentation #15319 baruchiro
docs: fix typo in schematypes.md #15305 skyran1278

`v8.12.1`

===================

fix: match bson version with mongodb's bson version #15297 hasezoey

`v8.12.0`

===================

feat: bump mongodb driver to 6.14
feat: expose "SchemaTypeOptions" in browser #15277 hasezoey
docs: update field-level-encryption.md #15272 dphrag

`v8.11.0`

===================

feat(model): make bulkWrite results include MongoDB bulk write errors as well as validation errors #15271 #15265
feat(document): add schemaFieldsOnly option to toObject() and toJSON() #15259 #15218
feat: introduce populate ordered option for populating in series rather than in parallel for transactions #15239 #15231 #15210
fix(bigint): throw error when casting BigInt that's outside of the bounds of what MongoDB can safely store #15230 #15200

`v8.10.2`

===================

fix(model+connection): return MongoDB BulkWriteResult instance even if no valid ops #15266 #15265
fix(debug): avoid printing trusted symbol in debug output #15267 #15263
types: make type inference logic resilient to no Buffer type due to missing @types/node #15261

Configuration

📅 Schedule: (UTC)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from a4bcb23 to 98c1291 Compare

May 12, 2026 17:15

renovate Bot changed the title ~~chore(deps): update dependency mongoose to v8.22.1 [security]~~ chore(deps): update dependency mongoose to v8.22.1 [security] - autoclosed

renovate Bot closed this

renovate Bot deleted the renovate/npm-mongoose-vulnerability branch

May 23, 2026 12:47


          chore(deps): update dependency mongoose to v8.22.1 [security]

9cb4b6f

renovate Bot changed the title ~~chore(deps): update dependency mongoose to v8.22.1 [security] - autoclosed~~ chore(deps): update dependency mongoose to v8.22.1 [security]

renovate Bot reopened this

renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch 2 times, most recently from 98c1291 to 9cb4b6f Compare

May 23, 2026 17:16

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet