CVE-2024-53900 - Upgrade Mongoose to 8.8.3

[greenlover1991]

Describe the Bug

CVE-2024-53900 affects mongoose lower than 8.8.3, which affects @payloadcms/db-mongodb

Currently PayloadCMS is using 8.8.1

Link to the code that reproduces this issue

https://avd.aquasec.com/nvd/2024/cve-2024-53900

Reproduction Steps

1. npx create-payload-app
2. Choose MongoDB as database
3. List all dependencies:

$ npm list --all 
myproject@1.0.0 /Users/code/myproject
├─┬ @payloadcms/db-mongodb@3.3.0
│ ├── http-status@1.6.2
│ ├── mongoose-aggregate-paginate-v2@1.1.2
│ ├── mongoose-paginate-v2@1.8.5
│ ├─┬ mongoose@8.8.1

Which area(s) are affected? (Select all that apply)

db-mongodb

Environment Info

Running `npm run payload info`:


Binaries:
  Node: 20.17.0
  npm: 10.8.2
  Yarn: 1.22.22
  pnpm: N/A
Relevant Packages:
  payload: 3.3.0
  next: 15.0.3
  @payloadcms/db-mongodb: 3.3.0
  @payloadcms/email-nodemailer: 3.3.0
  @payloadcms/graphql: 3.3.0
  @payloadcms/next/utilities: 3.3.0
  @payloadcms/payload-cloud: 3.3.0
  @payloadcms/richtext-lexical: 3.3.0
  @payloadcms/translations: 3.3.0
  @payloadcms/ui/shared: 3.3.0
  react: 19.0.0-rc-66855b96-20241106
  react-dom: 19.0.0-rc-66855b96-20241106
Operating System:
  Platform: darwin
  Arch: arm64
  Version: Darwin Kernel Version 24.1.0: Thu Oct 10 21:00:32 PDT 2024; root:xnu-11215.41.3~2/RELEASE_ARM64_T6030
  Available memory (MB): 36864
  Available CPU cores: 11

[github-actions]

Please add a reproduction in order for us to be able to investigate.

Depending on the quality of reproduction steps, this issue may be closed if no reproduction is provided.

Why was this issue marked with the invalid-reproduction label?

To be able to investigate, we need access to a reproduction to identify what triggered the issue. We prefer a link to a public GitHub repository created with create-payload-app@beta -t blank or a forked/branched version of this repository with tests added (more info in the reproduction-guide).

To make sure the issue is resolved as quickly as possible, please make sure that the reproduction is as minimal as possible. This means that you should remove unnecessary code, files, and dependencies that do not contribute to the issue. Ensure your reproduction does not depend on secrets, 3rd party registries, private dependencies, or any other data that cannot be made public. Avoid a reproduction including a whole monorepo (unless relevant to the issue). The easier it is to reproduce the issue, the quicker we can help.

Please test your reproduction against the latest version of Payload to make sure your issue has not already been fixed.

I added a link, why was it still marked?

Ensure the link is pointing to a codebase that is accessible (e.g. not a private repository). "example.com", "n/a", "will add later", etc. are not acceptable links -- we need to see a public codebase. See the above section for accepted links.

Useful Resources

• Reproduction Guide
• Contributing to Payload

[github-actions]

🚀 This is included in version v3.5.0

[github-actions]

This issue has been automatically locked.
Please open a new issue if this issue persists with any additional detail.