Mongoose Query Sanitization Bypass Vulnerability Allowing NoSQL Injection

A vulnerability in Mongoose, a MongoDB object modeling tool, allows for bypassing the query sanitization mechanism of the sanitizeFilter feature via the $nor operator. This issue is present in Mongoose versions prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6. When sanitizeFilter is enabled, Mongoose neutralizes query operators by wrapping them in $eq. However, the $nor operator was not properly sanitized, allowing malicious operators like $ne, $gt, or $regex to be injected into a $nor clause without detection. This vulnerability could lead to authentication bypass, unauthorized data access, or data exfiltration.

Impact

Exploiting this vulnerability could bypass authentication mechanisms, leading to unauthorized access to data or allowing sensitive information to be extracted from the database.

Remediation

Users can upgrade to Mongoose versions 6.13.9, 7.8.9, 8.22.1, or 9.1.6 to address this vulnerability. Alternatively, for those unable to upgrade, $nor keys can be removed, an additional schema validation library can be used, or middleware can be written to strip $nor from query filters.