CVE-2024-53900

Name of the Vulnerable Software and Affected Versions Mongoose versions prior to 8.8.3

Description The issue is related to the improper use of the $where operator in Mongoose, which can lead to search injection and potentially allow a remote attacker to execute arbitrary code and gain read and write access to data. The vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries.

Recommendations For versions prior to 8.8.3, update to version 8.8.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of the $where operator in match queries to minimize the risk of exploitation.