CVE-2025-23061

Name of the Vulnerable Software and Affected Versions Mongoose versions prior to 8.9.5 Mongoose versions prior to 7.8.4 Mongoose versions prior to 6.13.6

Description Mongoose is susceptible to a search injection issue due to the improper handling of nested $where filters when used with populate(). The $where clause allows the execution of arbitrary JavaScript code within MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data. This issue stems from an incomplete fix for CVE-2024-53900. Approximately 2.7K+ services are estimated to be affected yearly. The vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries.

Recommendations Update Mongoose to version 8.9.5 or later. Update Mongoose to version 7.8.4 or later. Update Mongoose to version 6.13.6 or later.