CVE-2025-23061

CRITICAL
2025-01-15 [email protected]
9.0
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 28, 2026 - 18:03 vuln.today
Patch Released
Mar 28, 2026 - 18:03 nvd
Patch available
CVE Published
Jan 15, 2025 - 05:15 nvd
CRITICAL 9.0

Tags

RCE Code Injection Mongoose

Description

Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

Analysis

Mongoose ODM for Node.js before version 8.9.5 contains a search injection vulnerability when using $where filters with populate() match operations. This is an incomplete fix for CVE-2024-53900, allowing attackers to inject arbitrary MongoDB queries through SpEL-like expressions in nested query parameters.

Technical Context

Mongoose's populate() method supports match conditions for filtering populated documents. When a $where filter is nested within a populate match, the query sanitization from the original CVE-2024-53900 fix is bypassed. An attacker can inject arbitrary JavaScript that executes in MongoDB's query context, enabling data extraction or server-side JavaScript execution.

Affected Products

['Mongoose < 8.9.5', 'Node.js applications using Mongoose populate() with user-controlled match']

Remediation

Update Mongoose to 8.9.5 or later. Never pass unsanitized user input to populate match conditions. Implement query parameter allowlisting. Disable JavaScript execution in MongoDB if not required (--noscripting).

Priority Score

101
Low Medium High Critical
KEV: 0
EPSS: +55.9
CVSS: +45
POC: 0

Share

CVE-2025-23061 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy