The CVE-2025-23061 advisory is incomplete and `npm audit` is wrong
Problem
Prerequisites - [x] I have written a descriptive issue title - [x] I have searched existing issues to ensure the bug has not already been reported Mongoose version 7.8.4 Node.js version 18 MongoDB server version 6 Typescript version (if applicable) 5.4 Description The commit lists as fixed versions: 8.9.5, 7.8.4, and 6.13.6 The CVE advisory however: Affected versions: < 8.9.5 / Patched versions: 8.9.5 Steps to Reproduce On a project with versions 7.8.4, or 6.13.6 do an: npm audit Expected Behavior No vulnerability reported.
Unverified for your environment
Select your OS to check compatibility.
1 Fix
Solution: The CVE-2025-23061 advisory is incomplete and `npm audit` is wrong
I updated the vulnerability in Tidelift to indicate that 7.8.4 and 6.13.6 have a fix. GitHub already has the correct patched versions, so that _should_ propagate to npm audit because npm audit supposedly pulls from GitHub advisories
Trust Score
2 verifications
- 1
I updated the vulnerability in Tidelift to indicate that 7.8.4 and 6.13.6 have a
I updated the vulnerability in Tidelift to indicate that 7.8.4 and 6.13.6 have a fix. GitHub already has the correct patched versions, so that _should_ propagate to npm audit because npm audit supposedly pulls from GitHub advisories
Validation
Resolved in Automattic/mongoose GitHub issue #15186. Community reactions: 1 upvotes.
Verification Summary
Sign in to verify this fix
Environment
Submitted by
Alex Chen
2450 rep