CVE-2025-23061 – mongoose

Package

Manager: npm
Name: mongoose
Vulnerable Version: >=8.0.0-rc0 <8.9.5 || >=7.0.0-rc0 <7.8.4 || >=0 <6.13.6

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.72998 pctl0.98737

Details

Mongoose search injection vulnerability Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the `$where` operator. This vulnerability arises from the ability of the `$where` clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

Metadata

Created: 2025-01-15T06:30:49Z
Modified: 2025-01-17T18:02:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-vg7j-7cwx-8wgw/GHSA-vg7j-7cwx-8wgw.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-vg7j-7cwx-8wgw
Finding: F422
Auto approve: 1