CVE-2025-23061

Published: Jan 15, 2025Modified: Jun 17, 2026

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

Affected (3)

Products: Mongoosejs: Mongoose

Mongoosejs

1 product

Mongoose

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Mongoosejs Mongoose	Before 6.13.6
Mongoosejs Mongoose	From 7.0.0 to 7.8.4
Mongoosejs Mongoose	From 8.0.0 to 8.9.5

Related CWEs

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (4)

https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md

Source: cve@mitre.org

Release Notes

https://github.com/Automattic/mongoose/commit/64a9f9706f2428c49e0cfb8e223065acc645f7bc

Source: cve@mitre.org

Patch

https://github.com/Automattic/mongoose/releases/tag/8.9.5

Source: cve@mitre.org

Release Notes

https://www.npmjs.com/package/mongoose?activeTab=versions

Source: cve@mitre.org

Product

Timeline

No history available yet.