Express / Node.js security dependency alerts

Rule body

# Express / Node.js security dependency alerts

Dependency-related security advisories. These instructions MUST NOT automatically edit dependency files.

Verb contract: WARN + CONFIRM + CHECK. No ALWAYS pinning or silent upgrades.

### CVE-2023-25813 — Sequelize vulnerable to SQL Injection via replacements

Context: Mixing literal SQL with named replacements allows attackers to inject SQL through replacement parameters not properly escaped in the query.
Source: https://github.com/advisories/GHSA-wrh9-cjv3-2hpw

WHEN you detect `sequelize` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2023-25813: sequelize may be vulnerable. Mixing literal SQL with named replacements allows attackers to inject SQL through replacement parameters not properly escaped in the query. Patched versions: sequelize >=6.19.1

CHECK for dependency conflicts before proposing any upgrade:
Run: `npm ls sequelize`

DO NOT modify dependency files without developer confirmation.

WHEN the developer confirms they want to upgrade:
1. Show the dependency tree output and identify conflicts
2. Propose a migration plan (including breaking changes) before editing files
3. Only then apply the upgrade

---

### CVE-2023-22578 — Sequelize - Default support for “raw attributes” when using parentheses

Context: Sequelize attributes with parentheses can inject arbitrary SQL expressions bypassing safe query construction.
Source: https://github.com/advisories/GHSA-f598-mfpv-gmfx

WHEN you detect `sequelize` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2023-22578: sequelize may be vulnerable. Sequelize attributes with parentheses can inject arbitrary SQL expressions bypassing safe query construction. Patched versions: sequelize >=6.29.0

CHECK for dependency conflicts before proposing any upgrade:
Run: `npm ls sequelize`

DO NOT modify dependency files without developer confirmation.

WHEN the developer confirms they want to upgrade:
1. Show the dependency tree output and identify conflicts
2. Propose a migration plan (including breaking changes) before editing files
3. Only then apply the upgrade

---

### CVE-2023-3696 — Mongoose Prototype Pollution vulnerability

Context: Attacker-controlled data can pollute Object prototypes, compromising object defaults across the entire application.
Source: https://github.com/advisories/GHSA-9m93-w8w6-76hh

WHEN you detect `mongoose` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2023-3696: mongoose may be vulnerable. Attacker-controlled data can pollute Object prototypes, compromising object defaults across the entire application. Patched versions: mongoose >=5.13.20

CHECK for dependency conflicts before proposing any upgrade:
Run: `npm ls mongoose`

DO NOT modify dependency files without developer confirmation.

WHEN the developer confirms they want to upgrade:
1. Show the dependency tree output and identify conflicts
2. Propose a migration plan (including breaking changes) before editing files
3. Only then apply the upgrade

---

### CVE-2022-24304 — Mongoose Vulnerable to Prototype Pollution in Schema Object

Context: Unvalidated schema paths can pollute Object prototype and cause application-wide denial of service.
Source: https://github.com/advisories/GHSA-h8hf-x3f4-xwgp

WHEN you detect `mongoose` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2022-24304: mongoose may be vulnerable. Unvalidated schema paths can pollute Object prototype and cause application-wide denial of service. Patched versions: mongoose >=5.13.15

CHECK for dependency conflicts before proposing any upgrade:
Run: `npm ls mongoose`

DO NOT modify dependency files without developer confirmation.

WHEN the developer confirms they want to upgrade:
1. Show the dependency tree output and identify conflicts
2. Propose a migration plan (including breaking changes) before editing files
3. Only then apply the upgrade

---

### CVE-2025-23061 — Mongoose search injection vulnerability

Context: The $where operator executes arbitrary JavaScript within MongoDB queries, allowing attackers to inject code that accesses or modifies database records.
Source: https://github.com/advisories/GHSA-vg7j-7cwx-8wgw

WHEN you detect `mongoose` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2025-23061: mongoose may be vulnerable. The $where operator executes arbitrary JavaScript within MongoDB queries, allowing attackers to inject code that accesses or modifies database records. Patched versions: mongoose >=6.13.6

CHECK for dependency conflicts before proposing any upgrade:
Run: `npm ls mongoose`

DO NOT modify dependency files without developer confirmation.

WHEN the developer confirms they want to upgrade:
1. Show the dependency tree output and identify conflicts
2. Propose a migration plan (including breaking changes) before editing files
3. Only then apply the upgrade

---

### CVE-2023-22579 — Unsafe fall-through in getWhereConditions

Context: Invalid where clause types silently fail instead of throwing, allowing unintended queries to execute without filtering.
Source: https://github.com/advisories/GHSA-vqfx-gj96-3w95

WHEN you detect `sequelize` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2023-22579: sequelize may be vulnerable. Invalid where clause types silently fail instead of throwing, allowing unintended queries to execute without filtering. Patched versions: sequelize >=6.28.1

CHECK for dependency conflicts before proposing any upgrade:
Run: `npm ls sequelize`

DO NOT modify dependency files without developer confirmation.

WHEN the developer confirms they want to upgrade:
1. Show the dependency tree output and identify conflicts
2. Propose a migration plan (including breaking changes) before editing files
3. Only then apply the upgrade

---

### CVE-2022-23539 — jsonwebtoken unrestricted key type could lead to legacy keys usage 

Context: Mismatched key types and algorithms in JWT verification can allow legacy insecure keys like DSA to validate signatures they shouldn't.
Source: https://github.com/advisories/GHSA-8cf7-32gw-wr33

WHEN you detect `jsonwebtoken` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2022-23539: jsonwebtoken may be vulnerable. Mismatched key types and algorithms in JWT verification can allow legacy insecure keys like DSA to validate signatures they shouldn't. Patched versions: jsonwebtoken >=9.0.0

CHECK for dependency conflicts before proposing any upgrade:
Run: `npm ls jsonwebtoken`

DO NOT modify dependency files without developer confirmation.

WHEN the developer confirms they want to upgrade:
1. Show the dependency tree output and identify conflicts
2. Propose a migration plan (including breaking changes) before editing files
3. Only then apply the upgrade

---

### CVE-2021-23337 — Command Injection in lodash

Context: Template functions can execute arbitrary code when processing untrusted input strings.
Source: https://github.com/advisories/GHSA-35jh-r3h4-6jhm

WHEN you detect `lodash` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2021-23337: lodash may be vulnerable. Template functions can execute arbitrary code when processing untrusted input strings. Patched versions: lodash >=4.17.21

CHECK for dependency conflicts before proposing any upgrade:
Run: `npm ls lodash`

DO NOT modify dependency files without developer confirmation.

WHEN the developer confirms they want to upgrade:
1. Show the dependency tree output and identify conflicts
2. Propose a migration plan (including breaking changes) before editing files
3. Only then apply the upgrade

---

### CVE-2026-4800 — lodash vulnerable to Code Injection via `_.template` imports key names

Context: Template imports with untrusted key names can execute arbitrary code via Function constructor injection during compilation.
Source: https://github.com/advisories/GHSA-r5fr-rjxr-66jc

WHEN you detect `lodash` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2026-4800: lodash may be vulnerable. Template imports with untrusted key names can execute arbitrary code via Function constructor injection during compilation. Patched versions: lodash >=4.18.0

CHECK for dependency conflicts before proposing any upgrade:
Run: `npm ls lodash`

DO NOT modify dependency files without developer confirmation.

WHEN the developer confirms they want to upgrade:
1. Show the dependency tree output and identify conflicts
2. Propose a migration plan (including breaking changes) before editing files
3. Only then apply the upgrade

---

### CVE-2022-2564 — automattic/mongoose vulnerable to Prototype pollution via Schema.path

Context: Prototype pollution through Schema.path() can modify Object prototypes and cause denial of service attacks.
Source: https://github.com/advisories/GHSA-f825-f98c-gj3g

WHEN you detect `mongoose` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2022-2564: mongoose may be vulnerable. Prototype pollution through Schema.path() can modify Object prototypes and cause denial of service attacks. Patched versions: mongoose >=5.13.15

CHECK for dependency conflicts before proposing any upgrade:
Run: `npm ls mongoose`

DO NOT modify dependency files without developer confirmation.

WHEN the developer confirms they want to upgrade:
1. Show the dependency tree output and identify conflicts
2. Propose a migration plan (including breaking changes) before editing files
3. Only then apply the upgrade

---

### CVE-2025-47944 — Multer vulnerable to Denial of Service from maliciously crafted requests

Context: Malformed multipart upload requests can crash the application if parsing exceptions aren't properly caught and handled.
Source: https://github.com/advisories/GHSA-4pg4-qvpc-4q3h

WHEN you detect `multer` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2025-47944: multer may be vulnerable. Malformed multipart upload requests can crash the application if parsing exceptions aren't properly caught and handled. Patched versions: multer >=2.0.0

CHECK for dependency conflicts before proposing any upgrade:
Run: `npm ls multer`

DO NOT modify dependency files without developer confirmation.

WHEN the developer confirms they want to upgrade:
1. Show the dependency tree output and identify conflicts
2. Propose a migration plan (including breaking changes) before editing files
3. Only then apply the upgrade

---

### CVE-2025-48997 — Multer vulnerable to Denial of Service via unhandled exception

Context: Empty form field names in file uploads can crash the server process without proper validation and error handling.
Source: https://github.com/advisories/GHSA-g5hg-p3ph-g8qg

WHEN you detect `multer` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2025-48997: multer may be vulnerable. Empty form field names in file uploads can crash the server process without proper validation and error handling. Patched versions: multer >=2.0.1

CHECK for dependency conflicts before proposing any upgrade:
Run: `npm ls multer`

DO NOT modify dependency files without developer confirmation.

WHEN the developer confirms they want to upgrade:
1. Show the dependency tree output and identify conflicts
2. Propose a migration plan (including breaking changes) before editing files
3. Only then apply the upgrade

---

### CVE-2025-47935 — Multer vulnerable to Denial of Service via memory leaks from unclosed streams

Context: Unclosed streams on request errors cause memory and file descriptor leaks leading to denial of service.
Source: https://github.com/advisories/GHSA-44fp-w29j-9vj5

WHEN you detect `multer` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2025-47935: multer may be vulnerable. Unclosed streams on request errors cause memory and file descriptor leaks leading to denial of service. Patched versions: multer >=2.0.0

CHECK for dependency conflicts before proposing any upgrade:
Run: `npm ls multer`

DO NOT modify dependency files without developer confirmation.

WHEN the developer confirms they want to upgrade:
1. Show the dependency tree output and identify conflicts
2. Propose a migration plan (including breaking changes) before editing files
3. Only then apply the upgrade

---

### CVE-2025-7338 — Multer vulnerable to Denial of Service via unhandled exception from malformed request

Context: Malformed multipart requests can crash the application if middleware exceptions are not caught and handled.
Source: https://github.com/advisories/GHSA-fjgf-rc76-4x9p

WHEN you detect `multer` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2025-7338: multer may be vulnerable. Malformed multipart requests can crash the application if middleware exceptions are not caught and handled. Patched versions: multer >=2.0.2

CHECK for dependency conflicts before proposing any upgrade:
Run: `npm ls multer`

DO NOT modify dependency files without developer confirmation.

WHEN the developer confirms they want to upgrade:
1. Show the dependency tree output and identify conflicts
2. Propose a migration plan (including breaking changes) before editing files
3. Only then apply the upgrade

---

### CVE-2024-53900 — Mongoose search injection vulnerability

Context: The $where operator in MongoDB queries executes arbitrary JavaScript code, risking injection attacks when user input is passed unsanitized.
Source: https://github.com/advisories/GHSA-m7xq-9374-9rvx

WHEN you detect `mongoose` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2024-53900: mongoose may be vulnerable. The $where operator in MongoDB queries executes arbitrary JavaScript code, risking injection attacks when user input is passed unsanitized. Patched versions: mongoose >=5.13.23

CHECK for dependency conflicts before proposing any upgrade:
Run: `npm ls mongoose`

DO NOT modify dependency files without developer confirmation.

WHEN the developer confirms they want to upgrade:
1. Show the dependency tree output and identify conflicts
2. Propose a migration plan (including breaking changes) before editing files
3. Only then apply the upgrade

---

### CVE-2026-3304 — Multer vulnerable to Denial of Service via incomplete cleanup

Context: Malformed multipart requests can exhaust server resources if file cleanup fails after incomplete uploads.
Source: https://github.com/advisories/GHSA-xf7r-hgr6-v32p

WHEN you detect `multer` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2026-3304: multer may be vulnerable. Malformed multipart requests can exhaust server resources if file cleanup fails after incomplete uploads. Patched versions: multer >=2.1.0

CHECK for dependency conflicts before proposing any upgrade:
Run: `npm ls multer`

DO NOT modify dependency files without developer confirmation.

WHEN the developer confirms they want to upgrade:
1. Show the dependency tree output and identify conflicts
2. Propose a migration plan (including breaking changes) before editing files
3. Only then apply the upgrade

---

### CVE-2026-2359 — Multer vulnerable to Denial of Service via resource exhaustion

Context: Incomplete file uploads can exhaust server resources if cleanup handlers aren't triggered on connection drops.
Source: https://github.com/advisories/GHSA-v52c-386h-88mc

WHEN you detect `multer` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2026-2359: multer may be vulnerable. Incomplete file uploads can exhaust server resources if cleanup handlers aren't triggered on connection drops. Patched versions: multer >=2.1.0

CHECK for dependency conflicts before proposing any upgrade:
Run: `npm ls multer`

DO NOT modify dependency files without developer confirmation.

WHEN the developer confirms they want to upgrade:
1. Show the dependency tree output and identify conflicts
2. Propose a migration plan (including breaking changes) before editing files
3. Only then apply the upgrade

---

### CVE-2026-3520 — Multer Vulnerable to Denial of Service via Uncontrolled Recursion

Context: Malformed multipart requests can trigger uncontrolled recursion, exhausting stack space and crashing the application.
Source: https://github.com/advisories/GHSA-5528-5vmv-3xc2

WHEN you detect `multer` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2026-3520: multer may be vulnerable. Malformed multipart requests can trigger uncontrolled recursion, exhausting stack space and crashing the application. Patched versions: multer >=2.1.1

CHECK for dependency conflicts before proposing any upgrade:
Run: `npm ls multer`

DO NOT modify dependency files without developer confirmation.

WHEN the developer confirms they want to upgrade:
1. Show the dependency tree output and identify conflicts
2. Propose a migration plan (including breaking changes) before editing files
3. Only then apply the upgrade

---

### CVE-2026-30951 — Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type

Context: Unescaped JSON cast types in where clauses enable SQL injection attacks through attacker-controlled object keys.
Source: https://github.com/advisories/GHSA-6457-6jrx-69cr

WHEN you detect `sequelize` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2026-30951: sequelize may be vulnerable. Unescaped JSON cast types in where clauses enable SQL injection attacks through attacker-controlled object keys. Patched versions: sequelize >=6.37.8

CHECK for dependency conflicts before proposing any upgrade:
Run: `npm ls sequelize`

DO NOT modify dependency files without developer confirmation.

WHEN the developer confirms they want to upgrade:
1. Show the dependency tree output and identify conflicts
2. Propose a migration plan (including breaking changes) before editing files
3. Only then apply the upgrade

---

### CVE-2026-42334 — Mongoose's Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection

Context: The $nor operator in Mongoose bypasses sanitizeFilter, allowing NoSQL injection through nested operators like $ne, $gt, or $regex.
Source: https://github.com/advisories/GHSA-wpg9-53fq-2r8h

WHEN you detect `mongoose` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2026-42334: mongoose may be vulnerable. The $nor operator in Mongoose bypasses sanitizeFilter, allowing NoSQL injection through nested operators like $ne, $gt, or $regex. Patched versions: mongoose >=6.13.9

CHECK for dependency conflicts before proposing any upgrade:
Run: `npm ls mongoose`

DO NOT modify dependency files without developer confirmation.

WHEN the developer confirms they want to upgrade:
1. Show the dependency tree output and identify conflicts
2. Propose a migration plan (including breaking changes) before editing files
3. Only then apply the upgrade

---