chore(deps): update dependency mongoose to v9.1.6 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
mongoose (source)	9.1.1 → 9.1.6

---

Mongoose's Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection

CVE-2026-42334 / GHSA-wpg9-53fq-2r8h

More information

Details

Impact

This vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator.

When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that are recursively sanitized. Because $nor accepts an array (like $and and $or), and arrays do not trigger hasDollarKeys(), malicious operators such as $ne, $gt, or $regex could be injected inside a $nor clause without being sanitized.

This may lead to:

• Authentication bypass
• Unauthorized data access
• Data exfiltration

Affected users:

Applications that:

• Explicitly enable sanitizeFilter
• Pass unsanitized user-controlled input directly into query methods (e.g., Model.findOne(req.body)) and rely on sanitizeFilter to strip out query selectors

Applications that validate input schemas, whitelist fields, or avoid passing raw request bodies into queries are not affected. For example, Model.findOne({ user: req.body.user, pwd: req.body.pwd }) is not affected.

Patches

Patches have been released for all supported Mongoose release lines:

• ^6.13.9
• ^7.8.9
• ^8.22.1
• ^9.1.6

Workarounds

Delete $nor keys, use an additional schema validation library, or write middleware to strip out $nor from query filters.

Resources

sanitizeFilter documentation: https://mongoosejs.com/docs/api/mongoose.html#Mongoose.prototype.sanitizeFilter()

Original blog post on sanitizeFilter: https://thecodebarbarian.com/whats-new-in-mongoose-6-sanitizefilter.html

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

• https://github.com/Automattic/mongoose/security/advisories/GHSA-wpg9-53fq-2r8h
• https://mongoosejs.com/docs/api/mongoose.html#Mongoose.prototype.sanitizeFilter()
• https://thecodebarbarian.com/whats-new-in-mongoose-6-sanitizefilter.html
• https://nvd.nist.gov/vuln/detail/CVE-2026-42334
• https://github.com/advisories/GHSA-wpg9-53fq-2r8h

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

Automattic/mongoose (mongoose)

v9.1.6

Compare Source

==================

• fix: handle other top-level query operators in sanitizeFilter
• fix(types): fix toObject() type inference with timestamps + virtuals #​15975 #​15965 AbdelrahmanHafez
• fix(populate): defer subpopulate until after match functions to avoid comparing populated subdocs #​15981 mongodb-js/mongoose-autopopulate#112
• fix(DocumentArray): correctly clone subdocument when updating document array #​15978 #​15973
• fix(documentArray): fix change tracking for documentArrays in nested maps #​15983 #​15970 AbdelrahmanHafez
• docs: clarify that you need to explicitly create timeseries collection before inserting document #​15990 #​15986

v9.1.5

Compare Source

==================

• fix(map): validate map subdocument when loaded with init #​15960 #​15957 AbdelrahmanHafez
• fix(discriminator): prevent indexes and callQueue duplication with shared nested schemas #​15974 #​15966 AbdelrahmanHafez
• fix(subdocuments): do not pass parent path on init #​15970 #​15969 #​15682 AbdelrahmanHafez
• types(inferrawdoctype): correct handling for subdocs and doc arrays #​15967 #​13772
• docs: improve grammar and clarity in TypeScript schema comments #​15971 harshsinghpujari

v9.1.4

Compare Source

==================

• fix: attach sessions to docs retrieved by cursor #​15953 #​15949 mjfwalsh
• fix(model): make hydrate() handle nested schema arrays #​15964 #​15956
• fix(clone): fix parent doc for map subdocuments and array subdocuments #​15958 #​15954 AbdelrahmanHafez
• fix: prevent crash when accessing nested paths on prototype #​15962 #​15961 som14062005

v9.1.3

Compare Source

==================

• fix(model): support timestamps option to insertMany() as both boolean and QueryTimestampsConfig #​15941 #​15938
• fix(query): include preview of current and incoming update in error when merging normal update with pipeline #​15939 #​15928
• types(model): apply basic type casting to paths underneath subdocuments #​15948 #​15947
• types(utility): make WithLevel1NestedPaths correctly handle PopulatedDoc and other TypeScript unions with Document members #​15942 #​15923
• docs(schema): expose "DocumentArrayElement" #​15590 hasezoey

v9.1.2

Compare Source

==================

• fix(subdocs): pass options to pre-save hooks for subdocs #​15921 #​15920 AbdelrahmanHafez
• perf(model): select only _id when checking document existence during save() #​15919 AbdelrahmanHafez

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
express-boilerplate	Ready	Preview, Comment	May 6, 2026 8:58pm