Vkarpov15

**Name of the Vulnerable Software and Affected Versions** Mongoose versions prior to 8.9.5 Mongoose versions prior to 7.8.4 Mongoose versions prior to 6.13.6 **Description** Mongoose is susceptible to a search injection issue due to the improper handling of nested `$where` filters when used with `populate()`. The `$where` clause allows the execution of arbitrary JavaScript code within MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data. This issue stems from an incomplete fix for CVE-2024-53900. Approximately 2.7K+ services are estimated to be affected yearly. The vulnerability arises from the ability of the `$where` clause to execute arbitrary JavaScript code in MongoDB queries. **Recommendations** Update Mongoose to version 8.9.5 or later. Update Mongoose to version 7.8.4 or later. Update Mongoose to version 6.13.6 or later.

**Name of the Vulnerable Software and Affected Versions** mongoose versions prior to 7.3.4 mongoose versions prior to 6.11.3 mongoose versions prior to 5.13.20 **Description** The issue is related to a prototype pollution vulnerability in the Mongoose library. This vulnerability can be exploited by a remote attacker to perform a prototype pollution attack. **Recommendations** For versions prior to 7.3.4, update to version 7.3.4 or later. For versions prior to 6.11.3, update to version 6.11.3 or later. For versions prior to 5.13.20, update to version 5.13.20 or later.

**Name of the Vulnerable Software and Affected Versions** mongoose versions prior to 6.4.6 **Description** The issue concerns a Prototype Pollution vulnerability in the mongoose package, a MongoDB object modeling tool. This vulnerability affects the `Schema.path()` function, allowing modification of the Object prototype, which could potentially lead to a Denial of Service (DoS) attack. **Recommendations** For versions prior to 6.4.6, update to version 6.4.6 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `Schema.path()` function until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** mquery versions prior to 3.2.3 **Description** The issue allows a pollution attack because a special property, such as ` proto `, can be copied during a merge or clone operation. This occurs in the lib/utils.js file. **Recommendations** For versions prior to 3.2.3, update to version 3.2.3 or later to resolve the issue. As a temporary workaround, consider restricting the merge or clone operations in the lib/utils.js file to prevent the pollution attack.