Request for backport fix of CVE-2024-53900 vulnerability to Mongoose v6.x

[mlevy-parasoft]

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the bug has not already been reported

Mongoose version

6.x

Node.js version

14.x

MongoDB server version

4.x

Typescript version (if applicable)

No response

Description

This is a request for backporting the fix here to 6.x:
c9e86bf

Steps to Reproduce

N/A

Expected Behavior

No response

[AlvaroVega]

And maybe for mongoose v5.x which is also still very used: https://www.npmjs.com/package/mongoose/v/5.13.22?activeTab=versions

[mlevy-parasoft]

It looks like this fix was already backported for 6.x, but it is still showing up as vulnerable because the NVD hasn't been updated yet. I see there were attempts to remedy this in the following issues:
#15074
github/advisory-database#5053

I am not sure when the NVD will reflect these updates, but I am closing this issue since the fix is already backported.

[vkarpov15]

We will consider backporting this to 5.x. 5.x has been EOL since March 1 2024, but I think we can make an exception.