[GHSA-vg7j-7cwx-8wgw] Mongoose search injection vulnerability

[ljharb]

Updates

• Affected products
• Description

Comments
Versions 0.0.1 through 3.5.16 are unaffected by this vulnerability. The vulnerable match option for mongoose populate() was introduced in version 3.8.0 (commit 29b1c35 - Nov 2013). Earlier versions do not have this code path and cannot be exploited via nested $where injection in populate match queries. Testing confirms the PoC does not trigger on versions before 3.8.0.

[ljharb]

same as #6769

[Copilot]

Pull request overview

This PR corrects the security advisory GHSA-vg7j-7cwx-8wgw for a Mongoose search injection vulnerability by updating the affected version range and adding a hyperlink reference to the related incomplete fix.

Changes:

• Updated the earliest affected version from "0" to "3.8.0" based on testing that confirmed versions before 3.8.0 are not vulnerable
• Added hyperlink to related CVE-2024-53900 advisory for context about the incomplete fix
• Updated the modified timestamp to reflect the correction

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[JonathanLEvans]

I can't find commit 29b1c35 in https://github.com/Automattic/mongoose. Also, https://www.npmjs.com/package/mongoose/v/3.8.0 was published in Oct 2013 so it can't have a commit from Nov 2013.

[JonathanLEvans]

same as #6769

In #6769, we established 3.6.0-rc0 was the first affected. Here you are saying it is 3.8.0.

[github-actions]

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

[ljharb]

whoops, sorry I missed this. i'll close, and resubmit it with corrected information.