The CVE-2025-23061 advisory is incomplete and npm audit is wrong

[jsilvawbc]

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the bug has not already been reported

Mongoose version

7.8.4

Node.js version

18

MongoDB server version

6

Typescript version (if applicable)

5.4

Description

The commit lists as fixed versions: 8.9.5, 7.8.4, and 6.13.6

The CVE advisory however: Affected versions: < 8.9.5 / Patched versions: 8.9.5

Steps to Reproduce

On a project with versions 7.8.4, or 6.13.6 do an: npm audit

Expected Behavior

No vulnerability reported.

[hunkydoryrepair]

I think you (or somebody) would have to report that to CVE.org.

[vkarpov15]

I updated the vulnerability in Tidelift to indicate that 7.8.4 and 6.13.6 have a fix. GitHub already has the correct patched versions, so that should propagate to npm audit because npm audit supposedly pulls from GitHub advisories

[eldhoseelias]

[skhilliard]

Just to show that is still shows up for 6.13.6 also

[yuval-shimoni-hunters]

We have the same issue.
We upgraded to ^6.13.6 and still get the critical warning.

It indeed remove one reference, but still show one error

Is anyone manage to solve it?

[ofekifergan]

We are having the same issue and it's blocking us please fix this asap

[ofekifergan]

any update?

[eranziz]

it's happening for me also. very urgent. any updates for a fix ?????

[dudilugasi]

This issue is happening to me as well. It's important to address this because the CVE advisory and npm audit results are conflicting, causing unnecessary concerns for projects using the supposedly patched versions (7.8.4 and 6.13.6). Clarifying the advisory and ensuring npm audit reflects the correct information is crucial for maintaining trust and reliability in vulnerability reporting.

[royscymulate]

I'm encountering the same problem. It's urgent—any updates on resolving this

[jsilvawbc]

Perhaps the only way out of this is for the maintainer @vkarpov15 to issue a new version bump for v6 and v7 to force npm to refresh the audit reports, as the original CVE was updated after the fact.

[jsilvawbc]

I'm having trouble getting help from npm directly. I initially reached out to them via email as advised, but they directed me to their support website, which requires logging in to submit a request.

I was only able to access the malware report form without logging in, which isn't relevant to my issue. I did attempt to contact them using the only form available, but I'd appreciate it if we could discuss a solution directly here.

I've provided detailed information, including a link to this GitHub issue, and I'd like to avoid having to recreate my request on a different platform if possible.

[npm Support] Confirmation - Request Received (#3191583)

[vkarpov15]

Ok, I'll ship a version bump for v6 and v7 now. I'm sorry for the trouble - in our defense we didn't file the CVE report, if I understand correctly Tidelift filed the CVE for us, we will have to make it more clear next time that we will ship fixes for 6.x and 7.x as well.

[eldhoseelias]

Issue still exists with 7.8.4 and 7.8.5

[jsilvawbc]

Yes, sadly it did not work the way I expected. I am a simple user. Someone with actual reputation should escalate the issue at npm.

[vkarpov15]

Yeah I pushed a version bump, but I am still getting an npm audit warning:

$ npm audit
# npm audit report

mongoose  <8.9.5
Severity: critical
Mongoose search injection vulnerability - https://github.com/advisories/GHSA-vg7j-7cwx-8wgw
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/mongoose

1 critical severity vulnerability

To address all issues (including breaking changes), run:
  npm audit fix --force
$ head node_modules/mongoose/package.json 
{
  "name": "mongoose",
  "description": "Mongoose MongoDB ODM",
  "version": "7.8.6",
  "author": "Guillermo Rauch <[email protected]>",
  "keywords": [
    "mongodb",
    "document",
    "model",
    "schema",

Will reach out to npm support.

[vkarpov15]

I have reached out to npm support, will post here when I have update.

[royscymulate]

Any updates?

[jsilvawbc]

I think it's worth noting that the recent layoffs at Microsoft, which owns npm, may be contributing to the delays and inefficiencies in addressing this issue. Microsoft laid off 5% of its global workforce in January 2023, and reports indicate that the company is continuing to cut jobs, including another 1% of the workforce, with roles in the security division being affected.

These layoffs may have impacted the npm team and their ability to respond to issues like this one. While the maintainer has already reached out to npm support, we’re not receiving the attention needed to resolve this problem.

Does anyone have connections with people who still work at Microsoft, particularly in the npm team, who could help escalate this issue to a higher level? It would be beneficial to gain more visibility and priority on this matter, as it affects multiple projects and users.

Let's keep the conversation constructive and focused on finding a solution. If anyone has suggestions or ideas on how to move this forward, please share them.

Thank you.

[Jehadsama]

Any further updates?

[sudhackar]

Copying from cli issue:
This is because even though the advisory seems to be fixed on github - the npm registry API is returning it vulnerable. There's probably caching at some layer as the updates to an advisory might take time.

$ curl -s  https://registry.npmjs.org/-/npm/v1/security/advisories/bulk --json '{"mongoose": ["7.8.6"]}' | jq .
{
  "mongoose": [
    {
      "id": 1101526,
      "url": "https://github.com/advisories/GHSA-vg7j-7cwx-8wgw",
      "title": "Mongoose search injection vulnerability",
      "severity": "critical",
      "vulnerable_versions": "<8.9.5",
      "cwe": [
        "CWE-94"
      ],
      "cvss": {
        "score": 9.1,
        "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
      }
    }
  ]
}

$ curl -s  https://registry.npmjs.org/-/npm/v1/security/advisories/bulk --json '{"mongoose": ["8.9.5"]}' | jq .
{}

github/advisory-database@acba20c shows the new updated versions were fixed last week, this is a long time.
https://api.github.com/advisories/GHSA-vg7j-7cwx-8wgw also returns the correct values

$ curl -s https://api.github.com/advisories/GHSA-vg7j-7cwx-8wgw | jq -r ".vulnerabilities[].first_patched_version"
8.9.5
7.8.4
6.13.6

Additionally:

So the problem only boils down to the npm registry API at registry.npmjs.org which is not open source and the only way to get it fixed is just the npm org - as vkarpov15 has reached out.

A solution right now could be to allowlist this advisory

[vkarpov15]

I haven't heard back from npm, all I got was the following seemingly automated message:

[skrtheboss]

It seems to have been fixed now 🎊 🚀

[sudhackar]

The API seems to be returning correct values now

"vulnerable_versions": "<6.13.6",
"vulnerable_versions": ">=7.0.0-rc0 <7.8.4",
"vulnerable_versions": ">=8.0.0-rc0 <8.9.5",

for

$ curl -s  https://registry.npmjs.org/-/npm/v1/security/advisories/bulk --json '{"mongoose": ["8.9.1"]}' | jq .
{
  "mongoose": [
    {
      "id": 1101840,
      "url": "https://github.com/advisories/GHSA-vg7j-7cwx-8wgw",
      "title": "Mongoose search injection vulnerability",
      "severity": "critical",
      "vulnerable_versions": ">=8.0.0-rc0 <8.9.5",
      "cwe": [
        "CWE-94"
      ],
      "cvss": {
        "score": 9.1,
        "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
      }
    }
  ]
}

[jsilvawbc]

Good! I confirmed and it's okay now. Thank you. Closing.

[hbazan-pp]

What happened to tag 7.8.6? the latest for @7 is now 7.8.4, when this issue started there were a 7.8.6 version.
Also, does 7.8.4 have this CVE fixed?

[jsilvawbc]

What happened to tag 7.8.6? the latest for @7 is now 7.8.4, when this issue started there were a 7.8.6 version. Also, does 7.8.4 have this CVE fixed?

It's fine. 73e81ab...b29ee14 🙏

[hbazan-pp]

if I check tags list on this repo there's no 7.8.6

[jsilvawbc]

if I check tags list on this repo there's no 7.8.6

@vkarpov15 Can you please take a look, and make/push the tags? Thank you.