Mongoose — CVE history (npm)

Mongoose

6 CVEs affect the Mongoose npm package (highest CVSS 9.8). Latest disclosed: 2026-05-14. Full CVE history sourced from NVD.

Summary

Package
Mongoose (npm)
Total CVEs
6
Actively exploited (CISA KEV)
0
Highest CVSS
9.8
Latest disclosed
2026-05-14

Recent CVEs (top 6)

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42334High7.52026-05-14Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment.
CVE-2025-23061Critical9.02025-01-15Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection.
CVE-2024-53900Critical9.12024-12-02Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.
CVE-2023-3696Critical9.82023-07-17Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4.
CVE-2022-2564Critical9.82022-07-28Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6.
CVE-2019-17426Critical9.12019-10-10Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored.

All-time worst (top 6 by CVSS)

CVESeverityCVSSKEVPublishedSummary
CVE-2023-3696Critical9.82023-07-17Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4.
CVE-2022-2564Critical9.82022-07-28Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6.
CVE-2024-53900Critical9.12024-12-02Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.
CVE-2019-17426Critical9.12019-10-10Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored.
CVE-2025-23061Critical9.02025-01-15Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection.
CVE-2026-42334High7.52026-05-14Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment.