Search Injection Vulnerability in Mongoose by Automattic
CVE-2025-23061

9CRITICAL

Key Information:

Vendor
Mongoosejs
Status
Mongoose
Vendor
CVE Published:
15 January 2025

Summary

The vulnerability in Mongoose prior to version 8.9.5 arises from an improper implementation of a nested $where filter when combined with a populate() match. This security flaw can be exploited through search injection, potentially allowing malicious actors to manipulate database queries. It is important to note that this issue persists due to an incomplete resolution of a prior vulnerability, CVE-2024-53900.

Affected Version(s)

Mongoose 6.0.0 < 6.13.6

Mongoose 7.0.0 < 7.8.4

Mongoose 8.0.0 < 8.9.5

References

https://www.npmjs.com/package/mongoose?activeTab=versions
https://github.com/Automattic/mongoose/blob/master/CHANGE...
https://github.com/Automattic/mongoose/releases/tag/8.9.5

CVSS V3.1

Score:
9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.