The CVE-2025-23061 advisory is incomplete and `npm audit` is wrong

[jsilvawbc]

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the bug has not already been reported

Mongoose version

7.8.4

Node.js version

18

MongoDB server version

6

Typescript version (if applicable)

5.4

Description

The commit lists as fixed versions: 8.9.5, 7.8.4, and 6.13.6

The CVE advisory however: Affected versions: < 8.9.5 / Patched versions: 8.9.5

Steps to Reproduce

On a project with versions 7.8.4, or 6.13.6 do an: npm audit

Expected Behavior

No vulnerability reported.

[hunkydoryrepair]

I think you (or somebody) would have to report that to CVE.org.

[vkarpov15]

I updated the vulnerability in Tidelift to indicate that 7.8.4 and 6.13.6 have a fix. GitHub already has the correct patched versions, so that should propagate to npm audit because npm audit supposedly pulls from GitHub advisories

[eldhoseelias]

[skhilliard]

Just to show that is still shows up for 6.13.6 also

[yuval-shimoni-hunters]

We have the same issue.
We upgraded to ^6.13.6 and still get the critical warning.

It indeed remove one reference, but still show one error

Is anyone manage to solve it?

[ofekifergan]

We are having the same issue and it's blocking us please fix this asap

[ofekifergan]

any update?

[eranziz]

it's happening for me also. very urgent. any updates for a fix ?????

[dudilugasi]

This issue is happening to me as well. It's important to address this because the CVE advisory and npm audit results are conflicting, causing unnecessary concerns for projects using the supposedly patched versions (7.8.4 and 6.13.6). Clarifying the advisory and ensuring npm audit reflects the correct information is crucial for maintaining trust and reliability in vulnerability reporting.

[royscymulate]

I'm encountering the same problem. It's urgent—any updates on resolving this

[jsilvawbc]

Perhaps the only way out of this is for the maintainer @vkarpov15 to issue a new version bump for v6 and v7 to force npm to refresh the audit reports, as the original CVE was updated after the fact.

[jsilvawbc]

I'm having trouble getting help from npm directly. I initially reached out to them via email as advised, but they directed me to their support website, which requires logging in to submit a request.

I was only able to access the malware report form without logging in, which isn't relevant to my issue. I did attempt to contact them using the only form available, but I'd appreciate it if we could discuss a solution directly here.

I've provided detailed information, including a link to this GitHub issue, and I'd like to avoid having to recreate my request on a different platform if possible.

[npm Support] Confirmation - Request Received (#3191583)

[vkarpov15]

Ok, I'll ship a version bump for v6 and v7 now. I'm sorry for the trouble - in our defense we didn't file the CVE report, if I understand correctly Tidelift filed the CVE for us, we will have to make it more clear next time that we will ship fixes for 6.x and 7.x as well.

[eldhoseelias]

Issue still exists with 7.8.4 and 7.8.5

[jsilvawbc]

Yes, sadly it did not work the way I expected. I am a simple user. Someone with actual reputation should escalate the issue at npm.