A newly discovered vulnerability in Mongoose, a popular MongoDB object modeling tool, could leave millions of users susceptible to search injection attacks.
The vulnerability, tracked as CVE-2025-23061 and assigned a CVSS score of 9.0, affects Mongoose versions before 8.9.5. It stems from improper handling of nested $where filters with populate() match, allowing attackers to manipulate search results and potentially gain unauthorized access to sensitive data.
Mongoose is a popular library for Node.js and Deno, designed to simplify MongoDB database interactions with features like schema-based modeling, built-in validation, and query building. With 2.7 million weekly downloads, it is a critical dependency for countless applications.
This issue arises as a consequence of an incomplete fix for a previous vulnerability, CVE-2024-53900, which addressed improper use of the $where operator. The $where clause’s ability to execute arbitrary JavaScript code in MongoDB queries makes it a prime target for attackers seeking to inject malicious code and compromise database integrity.
Mongoose has resolved this vulnerability in version 8.9.5. Users are strongly recommended to upgrade to the latest version to mitigate the risk of search injection attacks. Given that the npm package boasts over million downloads every week, the potential impact of this vulnerability is significant.
Related Posts:
- Critical Prototype Pollution Vulnerability in Mongoose
- MongoDB Patches High-Severity Windows Vulnerability (CVE-2024-7553) in Multiple Products
- Data Breach Alert: MongoDB Customer Hit, Logs Accessed
- CVE-2024-6376 (CVSS 9.8) in MongoDB Compass Exposes Systems to Code Injection Risks
- Spring Data MongoDB SpEL Expression injection vulnerability
