CVE-2025-23061: Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists...

9.0 CVSS

Description

Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

Classification

CVE ID: CVE-2025-23061

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.0

Affected Products

Vendor: mongoosejs

Product: Mongoose

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 17.81% (scored less or equal to compared to others)

EPSS Date: 2025-02-13 (when was this score calculated)

References

https://www.npmjs.com/package/mongoose?activeTab=versions
https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md
https://github.com/Automattic/mongoose/releases/tag/8.9.5
https://github.com/Automattic/mongoose/commit/64a9f9706f2428c49e0cfb8e223065acc645f7bc

Timeline

2025-01-16 00:31:17 UTC
CVE

Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists...