chore(deps): update dependency mongoose to v6 [security]#815
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps): update dependency mongoose to v6 [security]#815renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
July 19, 2023 00:35
ef3fbc6 to
f7b3864
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
December 3, 2024 04:28
f7b3864 to
1a5539e
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
December 4, 2024 17:48
1a5539e to
d5c8a8c
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
December 4, 2024 23:06
d5c8a8c to
ea61bbb
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
December 8, 2024 21:05
4b18866 to
ea61bbb
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
2 times, most recently
from
January 23, 2025 17:01
c213009 to
c3c02f2
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
January 30, 2025 18:31
c3c02f2 to
bdaec61
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
February 9, 2025 14:12
bdaec61 to
0807294
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
March 3, 2025 15:11
0807294 to
0b02631
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
2 times, most recently
from
March 17, 2025 13:31
7c79f11 to
a57c176
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
April 1, 2025 12:23
a57c176 to
7540864
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
April 8, 2025 13:24
7540864 to
c185b1d
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
April 24, 2025 05:52
c185b1d to
8b558bc
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
May 19, 2025 17:05
8b558bc to
a8cc67b
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
May 28, 2025 09:09
a8cc67b to
dc743ec
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
June 4, 2025 13:17
dc743ec to
fc82c5d
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
June 22, 2025 15:24
fc82c5d to
94a4ea0
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
July 2, 2025 15:42
94a4ea0 to
017cafd
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
August 10, 2025 14:55
017cafd to
ad57c70
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
September 25, 2025 18:39
5f378c6 to
fafcb80
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
October 21, 2025 21:11
fafcb80 to
b70fb73
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
November 10, 2025 23:38
b70fb73 to
61b93c9
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
November 18, 2025 12:51
61b93c9 to
b7326d7
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
December 3, 2025 18:03
b7326d7 to
f589ae7
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
December 31, 2025 13:50
f589ae7 to
b38db82
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
January 8, 2026 19:38
b38db82 to
757e999
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
January 19, 2026 15:55
757e999 to
f5abbd1
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
February 2, 2026 20:38
f5abbd1 to
bc60ca7
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
2 times, most recently
from
February 17, 2026 21:33
63cb9c4 to
91117c3
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
March 5, 2026 15:56
91117c3 to
9a1b42c
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
March 13, 2026 15:56
9a1b42c to
b723c6e
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
3 times, most recently
from
April 1, 2026 17:45
789a985 to
9814e11
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
April 8, 2026 17:20
9814e11 to
e3abb07
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
April 29, 2026 16:29
e3abb07 to
d1fca04
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
2 times, most recently
from
May 18, 2026 19:38
1b044b3 to
c6de680
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
May 30, 2026 22:57
c6de680 to
ae267fc
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
June 11, 2026 11:06
ae267fc to
780a59c
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
July 12, 2026 09:44
780a59c to
e3ab01a
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
July 16, 2026 14:58
e3ab01a to
b527788
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
5.6.7→6.13.6Improper Input Validation in Automattic Mongoose
CVE-2019-17426 / GHSA-8687-vv9j-hgph
More information
Details
Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a
_bsontypeattribute is ignored. For example, adding"_bsontype":"a"can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around this _bsontype special case that exists in older versions of the bson parser (aka the mongodb/js-bson project).Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
automattic/mongoose vulnerable to Prototype pollution via Schema.path
CVE-2022-2564 / GHSA-f825-f98c-gj3g
More information
Details
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Prototype Pollution. The
Schema.path()function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Mongoose Prototype Pollution vulnerability
CVE-2023-3696 / GHSA-9m93-w8w6-76hh
More information
Details
Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.
Severity
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Mongoose Vulnerable to Prototype Pollution in Schema Object
CVE-2022-24304 / GHSA-h8hf-x3f4-xwgp
More information
Details
Description
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment.
Affected versions of this package are vulnerable to Prototype Pollution. The
Schema.path()function is vulnerable to prototype pollution when setting theschemaobject. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.Proof of Concept
Impact
This vulnerability can be manipulated to exploit other types of attacks, such as Denial of service (DoS), Remote Code Execution, or Property Injection.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Mongoose search injection vulnerability
CVE-2025-23061 / GHSA-vg7j-7cwx-8wgw
More information
Details
Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the
$whereoperator. This vulnerability arises from the ability of the$whereclause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
Automattic/mongoose (mongoose)
v6.13.6Compare Source
===================
v6.13.5Compare Source
===================
v6.13.4Compare Source
===================
v6.13.3Compare Source
===================
v6.13.2Compare Source
===================
v6.13.1Compare Source
===================
v6.13.0Compare Source
===================
v6.12.9Compare Source
===================
v6.12.8Compare Source
===================
valueproperty rather than boolean #14418v6.12.7Compare Source
===================
openUri()#14370 #13376 #13335v6.12.6Compare Source
===================
v6.12.5Compare Source
===================
v6.12.4Compare Source
===================
v6.12.3Compare Source
===================
removeVirtual()#14019 #13085v6.12.2Compare Source
===================
v6.12.1Compare Source
===================
v6.12.0Compare Source
===================
v6.11.6Compare Source
===================
v6.11.5Compare Source
===================
v6.11.4Compare Source
===================
v6.11.3Compare Source
===================
v6.11.2Compare Source
===================
v6.11.1Compare Source
===================
v6.11.0Compare Source
===================
v6.10.5Compare Source
===================
v6.10.4Compare Source
===================
v6.10.3Compare Source
===================
v6.10.2Compare Source
===================
enginesinpackage.json#13124 lorand-horvathv6.10.1Compare Source
===================
$andand$or#13086 #12898Model.populate()#13070v6.10.0Compare Source
===================
v6.9.3Compare Source
==================
autoCreateandautoIndexuntil after initial connection established #13007 #12940 lpizzinidevv6.9.2Compare Source
==================
v6.9.1Compare Source
==================
v6.9.0Compare Source
==================
$orconditions after strict applied #12898 0x0a0dv6.8.4Compare Source
==================
v6.8.3Compare Source
==================
v6.8.2Compare Source
==================
v6.8.1Compare Source
==================
$localsparameters to getters/setters tutorial #12814 #12550 IslandRhythmsv6.8.0Compare Source
==================
localFieldandforeignFieldfor virtual populate #12657 #6963 IslandRhythmsv6.7.5Compare Source
==================
v6.7.4Compare Source
==================
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.