CVE-2025-23061: Mongoose search injection vulnerability
(updated )
Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.
NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.
References
- github.com/Automattic/mongoose
- github.com/Automattic/mongoose/blob/master/CHANGELOG.md
- github.com/Automattic/mongoose/commit/64a9f9706f2428c49e0cfb8e223065acc645f7bc
- github.com/Automattic/mongoose/compare/6.13.5...6.13.6
- github.com/Automattic/mongoose/compare/7.8.3...7.8.4
- github.com/Automattic/mongoose/compare/8.9.4...8.9.5
- github.com/Automattic/mongoose/releases/tag/6.13.6
- github.com/Automattic/mongoose/releases/tag/7.8.4
- github.com/Automattic/mongoose/releases/tag/8.9.5
- github.com/advisories/GHSA-m7xq-9374-9rvx
- github.com/advisories/GHSA-vg7j-7cwx-8wgw
- nvd.nist.gov/vuln/detail/CVE-2025-23061
- www.npmjs.com/package/mongoose?activeTab=versions
Detect and mitigate CVE-2025-23061 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →