fix(deps): update dependency mongoose to v6 [security]#942
Open
renovate[bot] wants to merge 1 commit into
Open
fix(deps): update dependency mongoose to v6 [security]#942renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
Bug Fixes
ContributorsCommit-Lint commandsYou can trigger Commit-Lint actions by commenting on this PR:
|
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
July 18, 2023 23:00
45aa2e3 to
84f6fd7
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
December 3, 2024 01:44
84f6fd7 to
5dfb803
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
December 4, 2024 18:18
5dfb803 to
0e35673
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
December 4, 2024 21:22
0e35673 to
795dfd2
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
January 16, 2025 21:49
795dfd2 to
767a571
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
January 19, 2025 08:37
767a571 to
2b3f608
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
2 times, most recently
from
August 13, 2025 16:13
5b88ffe to
e40093d
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
August 31, 2025 13:14
e40093d to
83a0053
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
September 25, 2025 21:25
83a0053 to
4265adc
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
October 22, 2025 00:46
4265adc to
a6aee15
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
November 11, 2025 01:05
a6aee15 to
fd8d758
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
November 19, 2025 00:31
fd8d758 to
49d1ebb
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
December 3, 2025 19:08
49d1ebb to
02da1cc
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
December 31, 2025 17:43
02da1cc to
a97fdb3
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
January 8, 2026 17:44
a97fdb3 to
c1c4cf2
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
January 19, 2026 20:05
c1c4cf2 to
70aded5
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
2 times, most recently
from
February 4, 2026 22:25
f2c19f9 to
3828a3d
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
February 5, 2026 00:30
3828a3d to
8bc7b50
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
2 times, most recently
from
March 30, 2026 21:39
8bc7b50 to
937861a
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
April 15, 2026 08:53
937861a to
9ce5c3c
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
3 times, most recently
from
April 29, 2026 15:15
f118e41 to
6282012
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
2 times, most recently
from
May 18, 2026 20:14
0a7f35d to
3ae9df7
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
2 times, most recently
from
June 1, 2026 23:02
ad6db4a to
0738ee8
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
June 11, 2026 20:16
0738ee8 to
21055ac
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
July 12, 2026 10:01
21055ac to
a1cf8b0
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
July 16, 2026 15:37
a1cf8b0 to
3aedd6b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
5.13.14→6.13.6automattic/mongoose vulnerable to Prototype pollution via Schema.path
CVE-2022-2564 / GHSA-f825-f98c-gj3g
More information
Details
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Prototype Pollution. The
Schema.path()function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Mongoose Prototype Pollution vulnerability
CVE-2023-3696 / GHSA-9m93-w8w6-76hh
More information
Details
Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.
Severity
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Mongoose Vulnerable to Prototype Pollution in Schema Object
CVE-2022-24304 / GHSA-h8hf-x3f4-xwgp
More information
Details
Description
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment.
Affected versions of this package are vulnerable to Prototype Pollution. The
Schema.path()function is vulnerable to prototype pollution when setting theschemaobject. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.Proof of Concept
Impact
This vulnerability can be manipulated to exploit other types of attacks, such as Denial of service (DoS), Remote Code Execution, or Property Injection.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Mongoose search injection vulnerability
CVE-2025-23061 / GHSA-vg7j-7cwx-8wgw
More information
Details
Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the
$whereoperator. This vulnerability arises from the ability of the$whereclause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Mongoose search injection vulnerability
CVE-2024-53900 / GHSA-m7xq-9374-9rvx
More information
Details
Mongoose versions prior to 8.8.3, 7.8.3, 6.13.5, and 5.13.23 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
Automattic/mongoose (mongoose)
v6.13.6Compare Source
===================
v6.13.5Compare Source
===================
v6.13.4Compare Source
===================
v6.13.3Compare Source
===================
v6.13.2Compare Source
===================
v6.13.1Compare Source
===================
v6.13.0Compare Source
===================
v6.12.9Compare Source
===================
v6.12.8Compare Source
===================
valueproperty rather than boolean #14418v6.12.7Compare Source
===================
openUri()#14370 #13376 #13335v6.12.6Compare Source
===================
v6.12.5Compare Source
===================
v6.12.4Compare Source
===================
v6.12.3Compare Source
===================
removeVirtual()#14019 #13085v6.12.2Compare Source
===================
v6.12.1Compare Source
===================
v6.12.0Compare Source
===================
v6.11.6Compare Source
===================
v6.11.5Compare Source
===================
v6.11.4Compare Source
===================
v6.11.3Compare Source
===================
v6.11.2Compare Source
===================
v6.11.1Compare Source
===================
v6.11.0Compare Source
===================
v6.10.5Compare Source
===================
v6.10.4Compare Source
===================
v6.10.3Compare Source
===================
v6.10.2Compare Source
===================
enginesinpackage.json#13124 lorand-horvathv6.10.1Compare Source
===================
$andand$or#13086 #12898Model.populate()#13070v6.10.0Compare Source
===================
v6.9.3Compare Source
==================
autoCreateandautoIndexuntil after initial connection established #13007 #12940 lpizzinidevv6.9.2Compare Source
==================
v6.9.1Compare Source
==================
v6.9.0Compare Source
==================
$orconditions after strict applied #12898 0x0a0dv6.8.4Compare Source
==================
v6.8.3Compare Source
==================
v6.8.2Compare Source
==================
v6.8.1Compare Source
==================
$localsparameters to getters/setters tutorial #12814 #12550 IslandRhythmsv6.8.0Compare Source
==================
localFieldandforeignFieldfor virtual populate #12657 #6963 IslandRhythmsv6.7.5Compare Source
==================
[`v6
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.