Login Sign Up

CVE-2024-53900

9.1 CRITICAL

📋 TL;DR

Mongoose versions before 8.8.3 contain a search injection vulnerability where improper use of $where in match operations can allow attackers to execute arbitrary JavaScript code. This affects any application using vulnerable Mongoose versions for MongoDB operations. Attackers could potentially read, modify, or delete database data.

💻 Affected Systems

Products:
  • Mongoose
Versions: All versions before 8.8.3
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Applications using Mongoose's $where operator in match queries are vulnerable. The vulnerability exists in the Mongoose library itself, not MongoDB.

📦 What is this software?

Mongoose by Mongoosejs

View all CVEs affecting Mongoose →

Mongoose by Mongoosejs

View all CVEs affecting Mongoose →

Mongoose by Mongoosejs

View all CVEs affecting Mongoose →

Mongoose by Mongoosejs

View all CVEs affecting Mongoose →

Mongoose by Mongoosejs

View all CVEs affecting Mongoose →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full database compromise allowing data exfiltration, modification, or deletion, potentially leading to complete application takeover.

🟠

Likely Case

Data manipulation or extraction from MongoDB collections, potentially exposing sensitive information.

🟢

If Mitigated

Limited impact with proper input validation and query sanitization in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires the ability to influence query parameters passed to Mongoose's match operations. No public exploit code is currently available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.8.3

Vendor Advisory: https://github.com/advisories/GHSA-m7xq-9374-9rvx

Restart Required: No

Instructions:

1. Update Mongoose package to version 8.8.3 or later. 2. Run: npm update mongoose. 3. Verify the update with: npm list mongoose. 4. Test application functionality after update.

🔧 Temporary Workarounds

Disable $where operator usage

all

Remove or refactor code that uses $where operator in Mongoose match queries

Implement input validation

all

Add strict input validation and sanitization for all query parameters

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all user inputs used in database queries
  • Use Mongoose query methods that don't involve $where operator and implement parameterized queries

🔍 How to Verify

Check if Vulnerable:

Check package.json or run: npm list mongoose | grep mongoose

Check Version:

npm list mongoose | grep mongoose

Verify Fix Applied:

Verify installed version is 8.8.3 or higher: npm list mongoose

📡 Detection & Monitoring

Log Indicators:

  • Unusual database query patterns
  • JavaScript execution in MongoDB queries
  • Unexpected $where operator usage

Network Indicators:

  • Unusual database query traffic patterns

SIEM Query:

Search for application logs containing '$where' operator usage with user-controlled input

📊 Metadata

CVE ID: CVE-2024-53900
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-89
Published: December 2, 2024
Last Updated: October 1, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-53900, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)