Balles

**Name of the Vulnerable Software and Affected Versions** Mongoose versions prior to 8.8.3 **Description** The issue is related to the improper use of the $where operator in Mongoose, which can lead to search injection and potentially allow a remote attacker to execute arbitrary code and gain read and write access to data. The vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries. **Recommendations** For versions prior to 8.8.3, update to version 8.8.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of the $where operator in match queries to minimize the risk of exploitation.