CVE-2025-23061

Summary

Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

Affected Software

VendorProductVersion RangeStatus
mongoosejsMongoose6.0.0 < 6.13.6affected
mongoosejsMongoose7.0.0 < 7.8.4affected
mongoosejsMongoose8.0.0 < 8.9.5affected

Weaknesses

  • CWE-94: CWE-94 Improper Control of Generation of Code ('Code Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References