CVE-2025-23061
Published: 15 January 2025
Description
Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.
Security Summary
CVE-2025-23061 is a search injection vulnerability in the Mongoose library for MongoDB and Node.js, affecting versions prior to 8.9.5. The issue arises from improper handling of a nested $where filter within a populate() match operation, which allows malicious input to alter query behavior. This flaw stems from an incomplete fix for the prior CVE-2024-53900 and is classified under CWE-94 (code injection), with a CVSS v3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to potential high-impact confidentiality, integrity, and availability effects across a changed scope. The vulnerability was published on 2025-01-15.
Remote, unauthenticated attackers (PR:N) with network access (AV:N) can exploit this vulnerability despite requiring high attack complexity (AC:H) and no user interaction (UI:N). By crafting a malicious query with a nested $where filter in a populate() match, attackers can inject code into search operations, potentially leading to arbitrary code execution, data exfiltration, modification, or denial of service, as reflected in the high CIA impacts and scope change.
Mitigation is addressed in Mongoose version 8.9.5, as detailed in the project's CHANGELOG.md, the fixing commit (64a9f9706f2428c49e0cfb8e223065acc645f7bc), and the release page. Security practitioners should upgrade to 8.9.5 or later via npm, where version details are available, to resolve the incomplete fix from CVE-2024-53900.
Details
- CWE(s)