VDB

CISA-2025-23061

CISA-2025-23061 PUBLISHED CVSS 9 CRITICAL

Reported by mitre · Published January 15, 2025

Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

Risk Scores

CVSS 3.1
9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersions
mongoosejsMongoose6.0.0, 7.0.0, 8.0.0
mongoosejsMongoose7.0.0, 6.0.0, 7.0.0
mongoosejsmongoose7.0.0, 8.0.0, 6.0.0

Timeline

  • Jan 15, 2025 CVE Published
  • Jan 15, 2025 CVE Updated

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›