Listen to this Post
How the mentioned CVE works:
The vulnerability bypasses Mongoose’s sanitizeFilter protection using the $nor operator. When sanitizeFilter is enabled, Mongoose normally wraps query operators like $ne, $gt, or $regex inside $eq to neutralize them. This sanitization recursively traverses logical operators such as $and and $or. However, prior to the fix, $nor was not included in the recursive sanitization set. Since $nor accepts an array of conditions, and arrays do not trigger the hasDollarKeys() check, an attacker can inject malicious operators inside a $nor clause. For example, a query like { $nor: [ { username: { $ne: “admin” } } ] } would bypass sanitization. The $nor array element is treated as a regular object, not a dollar-keyed operator. This allows $ne, $gt, $regex, etc., to reach the database unsanitized. Authentication bypass becomes possible by manipulating password checks. Unauthorized data access occurs by filtering out protected records. Data exfiltration can extract sensitive fields. The flaw exists because the sanitizeFilter logic only skips certain top-level dollar keys but fails to dive into $nor arrays. Attackers need no special privileges if the application passes raw user input (e.g., req.body) into Model.findOne() with sanitizeFilter enabled. Validating input schemas or whitelisting fields prevents exploitation. The patch adds $nor to the list of recursively sanitized logical operators.
dailycve form:
Platform: Mongoose (Node.js)
Version: <6.13.9,<7.8.9,<8.22.1,<9.1.6
Vulnerability: sanitizeFilter bypass $nor
Severity: Critical
date: 2025 (varies)
Prediction: Patched already (Dec2024)
What Undercode Say:
Test if vulnerable by injecting $nor with $ne
curl -X POST https://target.com/login \
-H "Content-Type: application/json" \
-d '{"username": "admin", "password": {"$nor": [{"$ne": "realpass"}]}}'
// Mongoose model query before fix const user = await User.findOne(req.body); // req.body contains $nor // After fix, $nor is recursively sanitized
// Workaround: delete $nor keys
function sanitizeFilterCustom(query) {
if (query.$nor) delete query.$nor;
return query;
}
Exploit:
Send JSON with $nor array containing $ne, $gt, or $regex to bypass equality checks. Example: `{“email”: {“$nor”:[{“$ne”:”[email protected]”}]}}` returns all non-admin users. For login: `{“username”:”admin”,”password”:{“$nor”:[{“$ne”:”any”}]}}` matches any password.
Protection from this CVE:
Update Mongoose to ^6.13.9, ^7.8.9, ^8.22.1, or ^9.1.6. If update impossible, add middleware to strip $nor from query filters. Use schema validation (e.g., Zod, Joi) to reject dollar operators. Never pass raw req.body to mongoose queries. Whitelist allowed fields explicitly.
Impact:
Authentication bypass allowing attacker to log in without valid credentials. Unauthorized read access to documents that should be hidden. Data exfiltration by injecting regex to extract field values slowly. Complete bypass of sanitizeFilter protection, breaking a key security layer.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
