[GHSA-m7xq-9374-9rvx] Mongoose search injection vulnerability#6766
[GHSA-m7xq-9374-9rvx] Mongoose search injection vulnerability#6766ljharb wants to merge 2 commits intoljharb/advisory-improvement-6766from
Conversation
github-actions
bot
changed the base branch from
main
to
ljharb/advisory-improvement-6766
There was a problem hiding this comment.
Pull request overview
This PR updates the security advisory GHSA-m7xq-9374-9rvx for a Mongoose search injection vulnerability. According to the PR description, the vulnerable code was introduced in version 5.6.4, and versions 5.0.0 through 5.6.3 (111 versions) were incorrectly marked as vulnerable.
Changes:
- Updated the "introduced" version from "8.0.0-rc0" to "5.6.4" in the first affected range
- Removed the CVSS v3 score, keeping only CVSS v4
- Added a "database_specific" field with "last_known_affected_version_range"
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "introduced": "5.6.4" | ||
| }, | ||
| { | ||
| "fixed": "8.8.3" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| ], | ||
| "database_specific": { | ||
| "last_known_affected_version_range": "< 6.13.5" | ||
| } |
There was a problem hiding this comment.
The change to "introduced": "5.6.4" is correct according to the PR description, but there is a critical inconsistency in the advisory. The third affected range (lines 68-73) still specifies "introduced": "0", which means versions from 0 to 6.13.5 are marked as vulnerable. This contradicts the PR description which states that "versions before 5.6.4 are unaffected by this vulnerability." This creates overlapping and inconsistent version ranges:
- First range: 5.6.4 to 8.8.3 (affected)
- Third range: 0 to 6.13.5 (affected)
The third range should be updated to start from "5.6.4" instead of "0", or removed entirely if the first and second ranges already cover all affected versions correctly.
| ] | ||
| ], | ||
| "database_specific": { | ||
| "last_known_affected_version_range": "< 6.13.5" |
There was a problem hiding this comment.
The "last_known_affected_version_range": "< 6.13.5" field is confusing and potentially incorrect. According to the advisory details (line 10), version 6.13.5 is a fixed version, not an affected version. The field name suggests it should contain the last affected version range, but "< 6.13.5" includes versions before 5.6.4 which the PR description states are unaffected. This field should either be removed or updated to accurately reflect the affected version range (e.g., ">= 5.6.4 < 6.13.5").
| "last_known_affected_version_range": "< 6.13.5" | |
| "last_known_affected_version_range": ">= 5.6.4 < 6.13.5" |
| "CVE-2024-53900" | ||
| ], | ||
| "summary": "Mongoose search injection vulnerability", | ||
| "details": "Mongoose versions prior to 8.8.3, 7.8.3, and 6.13.5 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.", |
There was a problem hiding this comment.
The details field states "Mongoose versions prior to 8.8.3, 7.8.3, and 6.13.5 are vulnerable" which implies all versions before 6.13.5 are affected. However, according to the PR description, only versions 5.6.4 and later contain the vulnerable code path. The details should be updated to clarify that only versions from 5.6.4 onwards are affected, not all versions prior to the fixed versions. For example: "Mongoose versions 5.6.4 through 6.13.4, 7.0.0-rc0 through 7.8.2, and 8.0.0-rc0 through 8.8.2 are vulnerable..."
|
the suggested changes look good, but i can't update the PR myself. |
|
Hi @ljharb, Thank you for bringing this to our attention. It appears that |
|
hmm, thanks for catching that. I'll get back to you shortly! |
|
You're right; the vulnerability continues to exist down to v3.6.0-rc0. However, versions prior to 3.6.0-rc0 are confirmed UNAFFECTED because:
Can you update this PR to indicate that? |
|
actually i opened #6766 instead. |
|
oops, this was the same PR, my bad |
|
ok, reopened it as #6769 |
2 participants
Updates
Comments
Versions before 5.6.4 are unaffected by this vulnerability. The vulnerable code (getModelsMapForPopulate.js with the match function that can accept $where filters) was introduced in version 5.6.4. Testing confirms that versions 5.0.0 through 5.6.3 do not contain the vulnerable code path - the lib/helpers/populate/getModelsMapForPopulate.js file does not exist in those versions. This affects 111 versions (5.0.0-rc0 through 5.6.3) that are incorrectly marked as vulnerable.