Summary
@payloadcms/db-mongodb@3.84.1 pins mongoose: 8.15.1 as an exact dependency. That version is vulnerable to a high-severity advisory affecting all 8.x releases before 8.22.1.
This is the same pattern as #9729 (CVE-2024-53900), where a Mongoose upgrade was applied for a prior CVE. A new advisory has since been published.
Vulnerability details
| Severity |
Advisory |
Vulnerable |
Patched |
| High |
GHSA-wpg9-53fq-2r8h — Improper Sanitization of $nor in sanitizeFilter may allow NoSQL Injection |
>= 8.0.0 <= 8.22.0 |
>= 8.22.1 |
(Note: this is a different, newer advisory from CVE-2025-23061 / GHSA-vg7j-7cwx-8wgw, which was patched in mongoose@8.9.5 and is no longer present in payload's current 8.15.1 pin.)
Current pin
packages/db-mongodb/package.json declares:
Reproduction
mkdir mongoose-cve && cd mongoose-cve
npm init -y
npm install @payloadcms/db-mongodb@3.84.1
npm audit
GHSA-wpg9-53fq-2r8h appears.
Requested fix
Bump @payloadcms/db-mongodb's declared mongoose dependency to ^8.22.1 (or wider). This is a patch-version bump within the same 8.x line, so no behavioral changes are expected for the adapter.
Workaround used downstream
Pinned via pnpm override:
overrides:
mongoose@<8.22.1: ">=8.22.1"
Related
Environment
payload: 3.84.1@payloadcms/db-mongodb: 3.84.1- Node: 22+
- Package manager: pnpm 11
Summary
@payloadcms/db-mongodb@3.84.1pinsmongoose: 8.15.1as an exact dependency. That version is vulnerable to a high-severity advisory affecting all 8.x releases before 8.22.1.This is the same pattern as #9729 (CVE-2024-53900), where a Mongoose upgrade was applied for a prior CVE. A new advisory has since been published.
Vulnerability details
$norinsanitizeFiltermay allow NoSQL Injection>= 8.0.0 <= 8.22.0>= 8.22.1(Note: this is a different, newer advisory from CVE-2025-23061 / GHSA-vg7j-7cwx-8wgw, which was patched in
mongoose@8.9.5and is no longer present in payload's current8.15.1pin.)Current pin
packages/db-mongodb/package.jsondeclares:Reproduction
GHSA-wpg9-53fq-2r8happears.Requested fix
Bump
@payloadcms/db-mongodb's declaredmongoosedependency to^8.22.1(or wider). This is a patch-version bump within the same 8.x line, so no behavioral changes are expected for the adapter.Workaround used downstream
Pinned via pnpm override:
Related
CVE-2024-53900 - Upgrade Mongoose to 8.8.3— prior mongoose CVE issue (resolved)8.9.5#16489 —chore(db-mongodb): bump mongoose to 8.9.5— recent bump targeting payload 2.x branch for CVE-2025-23061 (GHSA-vg7j-7cwx-8wgw, a different older advisory). The 3.x line was unaffected by that earlier CVE but is affected by GHSA-wpg9-53fq-2r8h, which has not been addressed.mongooseto8.15.1#12755 —fix(db-mongodb): bump mongoose to 8.15.1— current pin onmainmongooseto8.8.3#9747 —fix(db-mongodb): bump mongoose to 8.8.3— fix for CVE-2024-53900 - Upgrade Mongoose to 8.8.3 #9729feat(db-mongodb)!: update mongoose to 8.8.1— initial 8.x adoptionEnvironment
payload: 3.84.1@payloadcms/db-mongodb: 3.84.1