AikidoSec · timokoessler · Mar 12, 2026 · Mar 12, 2026 · Mar 12, 2026 · May 15, 2026
diff --git a/README.md b/README.md
@@ -57,7 +57,7 @@ Zen for Node.js 16+ is compatible with:
 ### Database drivers
 
 - ✅ [`mongodb`](https://www.npmjs.com/package/mongodb) 4.x, 5.x, 6.x and 7.x _(npm package versions, not MongoDB server versions)_
-- ✅ [`mongoose`](https://www.npmjs.com/package/mongoose) 8.x, 7.x and 6.x
+- ✅ [`mongoose`](https://www.npmjs.com/package/mongoose) 9.x, 8.x, 7.x and 6.x
 - ✅ [`pg`](https://www.npmjs.com/package/pg) 8.x and 7.x
 - ✅ [`mysql`](https://www.npmjs.com/package/mysql) 2.x
 - ✅ [`mysql2`](https://www.npmjs.com/package/mysql2) 3.x

diff --git a/end2end/tests/express-mongoose.test.js b/end2end/tests/express-mongoose.test.js
@@ -39,13 +39,17 @@ t.test("it blocks in blocking mode", (t) => {
         fetch("http://localhost:4000/?search[$ne]=null", {
           signal: AbortSignal.timeout(5000),
         }),
+        fetch("http://localhost:4000/?search[$nin]=foo", {
+          signal: AbortSignal.timeout(5000),
+        }),
         fetch("http://localhost:4000/?search=title", {
           signal: AbortSignal.timeout(5000),
         }),
       ]);
     })
-    .then(([noSQLInjection, normalSearch]) => {
+    .then(([noSQLInjection, noSQLInjection2, normalSearch]) => {
       t.equal(noSQLInjection.status, 500);
+      t.equal(noSQLInjection2.status, 500);
       t.equal(normalSearch.status, 200);
       t.match(stdout, /Starting agent/);
       t.match(stderr, /Zen has blocked a NoSQL injection/);
@@ -84,13 +88,17 @@ t.test("it does not block in dry mode", (t) => {
         fetch("http://localhost:4001/?search[$ne]=null", {
           signal: AbortSignal.timeout(5000),
         }),
+        fetch("http://localhost:4001/?search[$nin]=foo", {
+          signal: AbortSignal.timeout(5000),
+        }),
         fetch("http://localhost:4001/?search=title", {
           signal: AbortSignal.timeout(5000),
         }),
       ])
     )
-    .then(([noSQLInjection, normalSearch]) => {
+    .then(([noSQLInjection, noSQLInjection2, normalSearch]) => {
       t.equal(noSQLInjection.status, 200);
+      t.equal(noSQLInjection2.status, 200);
       t.equal(normalSearch.status, 200);
       t.match(stdout, /Starting agent/);
       t.notMatch(stderr, /Zen has blocked a NoSQL injection/);

diff --git a/library/agent/Context.ts b/library/agent/Context.ts
@@ -37,6 +37,12 @@ export type Context = {
   rateLimitGroup?: string; // Used to apply rate limits to a group of users
   rateLimitedEndpoint?: Endpoint; // The route that was rate limited
   tenantId?: string; // Used for IDOR protection - set via setTenantId()
+
+  /**
+   * Used to store the original, not normalized filter for some NoSQL libraries, e.g. mongoose,
+   * as we can not match the normalized filter with the payload in some cases
+   */
+  notNormalizedNoSqlFilter?: unknown;
 };
 
 /**

diff --git a/library/agent/protect.ts b/library/agent/protect.ts
@@ -61,6 +61,7 @@ import { FunctionSink } from "../sinks/FunctionSink";
 import type { FetchListsAPI } from "./api/FetchListsAPI";
 import { FetchListsAPINodeHTTP } from "./api/FetchListsAPINodeHTTP";
 import shouldEnableFirewall from "../helpers/shouldEnableFirewall";
+import { Mongoose } from "../sinks/Mongoose";
 
 function getLogger(): Logger {
   if (isDebugging()) {
@@ -175,6 +176,7 @@ export function getWrappers() {
     new AwsSDKVersion2(),
     new AiSDK(),
     new GoogleGenAi(),
+    new Mongoose(),
   ];
 }
 

diff --git a/library/helpers/clone.test.ts b/library/helpers/clone.test.ts
@@ -0,0 +1,17 @@
+import * as t from "tap";
+import { clone } from "./clone";
+
+t.test("it clones objects", async (t) => {
+  const obj = { a: 1, b: { c: 2 } };
+  const cloned = clone(obj);
+  t.equal(cloned.a, 1);
+  t.equal(cloned.b.c, 2);
+
+  // Modifying the cloned object should not affect the original
+  cloned.b.c = 3;
+  t.equal(obj.b.c, 2);
+
+  // Modifing the original object should not affect the cloned
+  obj.b.c = 4;
+  t.equal(cloned.b.c, 3);
+});
diff --git a/library/helpers/clone.ts b/library/helpers/clone.ts
@@ -0,0 +1,9 @@
+// Node.js v16 does not have structuredClone, so we need to use a polyfill
+const cloneFunction =
+  typeof structuredClone === "function"
+    ? structuredClone
+    : (obj: any) => JSON.parse(JSON.stringify(obj));
+
+export function clone<T>(obj: T): T {
+  return cloneFunction(obj);
+}
diff --git a/library/package-lock.json b/library/package-lock.json
diff --git a/library/package.json b/library/package.json
@@ -122,6 +122,7 @@
     "mongodb-v5": "npm:mongodb@^5.0.0",
     "mongodb-v6": "npm:mongodb@^6.0.0",
     "mongodb-v7": "npm:mongodb@^7.0.0",
+    "mongoose": "^9.3.0",
     "mysql": "^2.18.1",
     "mysql2-v3.10": "npm:mysql2@3.10",
     "mysql2-v3.12": "npm:mysql2@3.12",

diff --git a/library/sinks/MongoDB.ts b/library/sinks/MongoDB.ts
@@ -43,11 +43,18 @@ export class MongoDB implements Wrapper {
   private inspectFilter(
     db: string,
     collection: string,
-    request: Context,
+    context: Context,
     filter: unknown,
     operation: string
   ): InterceptorResult {
-    const result = detectNoSQLInjection(request, filter);
+    let result = detectNoSQLInjection(context, filter);
+
+    if (!result.injection && context.notNormalizedNoSqlFilter) {
+      // Also check the original, not normalized filter in the context, if set
+      // Mongoose modifies the filter object in-place and we might not be able to match the normalized filter
+      // with the payload, so we need to check the original filter as well
+      result = detectNoSQLInjection(context, context.notNormalizedNoSqlFilter);
+    }
 
     if (result.injection) {
       return {