Search Injection Vulnerability in Mongoose by Automattic
CVE-2025-23061

9CRITICAL

Key Information:

Vendor

Mongoosejs

Status
Mongoose
Vendor
CVE Published:
15 January 2025

Badges

📈 Score: 117👾 Exploit Exists🟡 Public PoC🟣 EPSS 64%

What is CVE-2025-23061?

CVE-2025-23061 is a vulnerability found in Mongoose, a popular MongoDB object modeling tool designed for Node.js applications. This vulnerability relates to how Mongoose handles certain database queries, specifically the use of nested $where filters in conjunction with the populate() method. If exploited, this flaw could enable attackers to perform search injection attacks, undermining the security of applications that depend on Mongoose for data interactions. Such weaknesses can lead to unauthorized data access and manipulation, which can severely impact an organization’s integrity and data confidentiality.

Technical Details

The vulnerability arises in versions of Mongoose prior to 8.9.5, where the improper implementation of a nested $where filter can result in unpredictable database querying behavior. This issue has been noted as stemming from an insufficient resolution of a previous vulnerability identified as CVE-2024-53900. As a consequence, the database could return incorrect results, allowing attackers to inject unintended queries.

Potential Impact of CVE-2025-23061

  1. Unauthorized Data Access: The vulnerability can potentially allow attackers to gain unauthorized access to sensitive information stored within MongoDB, compromising the confidentiality of user data and organizational secrets.

  2. Data Manipulation Risks: Exploitation of this vulnerability could enable attackers to manipulate or alter data in unexpected ways, leading to data integrity issues that could disrupt business operations.

  3. Increased Attack Surface: By allowing search injection attacks, this vulnerability expands the avenues through which adversaries can target an organization, potentially leading to further vulnerabilities and exploits within the application environment.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Mongoose 6.0.0 < 6.13.6

Mongoose 7.0.0 < 7.8.4

Mongoose 8.0.0 < 8.9.5

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-23061
Created by dajneem23

References

https://www.npmjs.com/package/mongoose?activeTab=versions
https://github.com/Automattic/mongoose/blob/master/CHANGE...
https://github.com/Automattic/mongoose/releases/tag/8.9.5

EPSS Score

64% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

JSON
.