Mongoose — CVE history (npm)
Mongoose
6 CVEs affect the Mongoose npm package (highest CVSS 9.8). Latest disclosed: 2026-05-14. Full CVE history sourced from NVD.
Summary
- Package
Mongoose(npm)- Total CVEs
6- Actively exploited (CISA KEV)
- 0
- Highest CVSS
9.8- Latest disclosed
- 2026-05-14
Recent CVEs (top 6)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-42334 | High | 7.5 | — | 2026-05-14 | Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. |
CVE-2025-23061 | Critical | 9.0 | — | 2025-01-15 | Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. |
CVE-2024-53900 | Critical | 9.1 | — | 2024-12-02 | Mongoose before 8.8.3 can improperly use $where in match, leading to search injection. |
CVE-2023-3696 | Critical | 9.8 | — | 2023-07-17 | Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4. |
CVE-2022-2564 | Critical | 9.8 | — | 2022-07-28 | Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6. |
CVE-2019-17426 | Critical | 9.1 | — | 2019-10-10 | Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. |
All-time worst (top 6 by CVSS)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-3696 | Critical | 9.8 | — | 2023-07-17 | Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4. |
CVE-2022-2564 | Critical | 9.8 | — | 2022-07-28 | Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6. |
CVE-2024-53900 | Critical | 9.1 | — | 2024-12-02 | Mongoose before 8.8.3 can improperly use $where in match, leading to search injection. |
CVE-2019-17426 | Critical | 9.1 | — | 2019-10-10 | Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. |
CVE-2025-23061 | Critical | 9.0 | — | 2025-01-15 | Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. |
CVE-2026-42334 | High | 7.5 | — | 2026-05-14 | Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. |