VDB
CISA-2025-23061
CISA-2025-23061
PUBLISHED
CVSS 9 CRITICAL
Reported by mitre · Published January 15, 2025
Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.
Risk Scores
CVSS 3.1
9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| mongoosejs | Mongoose | 6.0.0, 7.0.0, 8.0.0 |
| mongoosejs | Mongoose | 7.0.0, 6.0.0, 7.0.0 |
| mongoosejs | mongoose | 7.0.0, 8.0.0, 6.0.0 |
Timeline
- Jan 15, 2025 CVE Published
- Jan 15, 2025 CVE Updated