[GHSA-m7xq-9374-9rvx] Mongoose search injection vulnerability

[ljharb]

Updates

• Affected products
• CVSS v3

Comments
versions prior to 3.6.0-rc0 are confirmed UNAFFECTED because:

The match option for populate() did not exist
There was no code path that could accept or process a $where filter through populate
PoC testing of 27 representative versions all return NOT_AFFECTED
The exact boundary is confirmed: 3.5.16 (last unaffected) → 3.6.0-rc0 (first affected)

[Copilot]

Pull request overview

This PR updates the Mongoose security advisory GHSA-m7xq-9374-9rvx to correctly specify the affected version range and update CVSS scoring information. The advisory addresses a search injection vulnerability related to the improper use of the $where operator in MongoDB queries.

Changes:

• Updated the lower bound of affected versions from "0" to "3.6.0-rc0" to reflect that versions prior to 3.6.0-rc0 are confirmed unaffected
• Removed the CVSS v3 score, retaining only the CVSS v4 score
• Updated the modification timestamp

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[JonathanLEvans]

🤔 I am not sure I am fully following the code but it looks like in Automattic/mongoose@7e0af7e they moved from conditions to match in the prototypes and added a Model.populate function. It seems likely to me that 3.5.16 and earlier could still be exploited using $where in the conditions. That being said, the CVE says match so I guess that would we be a different vulnerability.

[advisory-database]

Hi @ljharb! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!