What is the CVSS score of CVE-2025-23061?

CVE-2025-23061 has a CVSS 3.1 base score of 9.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 55.9%.

Which versions of Mongoose are affected by CVE-2025-23061?

CVE-2025-23061 presents critical security risk, a code injection vulnerability rated CVSS 9.0.. A patch is available.

Is there a public PoC exploit available for CVE-2025-23061?

Yes, a public proof-of-concept exploit is available for CVE-2025-23061. Prioritise patching immediately. EPSS: 55.9%.

How to fix or mitigate CVE-2025-23061?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Validate that input sanitization is in place for all user-controlled parameters.

Mongoose CVE-2025-23061

CRITICAL

Code Injection (CWE-94)

2025-01-15 cve@mitre.org

RCE Code Injection Mongoose

9.0

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.0 CRITICAL

AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:03 vuln.today

Patch released

Mar 28, 2026 - 18:03 nvd

Patch available

CVE Published

Jan 15, 2025 - 05:15 nvd

CRITICAL 9.0

DescriptionCVE.org

Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

AnalysisAI

Mongoose ODM for Node.js before version 8.9.5 contains a search injection vulnerability when using $where filters with populate() match operations. This is an incomplete fix for CVE-2024-53900, allowing attackers to inject arbitrary MongoDB queries through SpEL-like expressions in nested query parameters.

Technical ContextAI

Mongoose's populate() method supports match conditions for filtering populated documents. When a $where filter is nested within a populate match, the query sanitization from the original CVE-2024-53900 fix is bypassed. An attacker can inject arbitrary JavaScript that executes in MongoDB's query context, enabling data extraction or server-side JavaScript execution.

RemediationAI

Update Mongoose to 8.9.5 or later. Never pass unsanitized user input to populate match conditions. Implement query parameter allowlisting. Disable JavaScript execution in MongoDB if not required (--noscripting).

CVE-2025-23061 vulnerability details – vuln.today

Back

Mongoose CVE-2025-23061

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code