Login Sign Up

CVE-2025-23061

9.0 CRITICAL

📋 TL;DR

Mongoose before version 8.9.5 contains a search injection vulnerability when using nested $where filters with populate() match operations. This allows attackers to execute arbitrary JavaScript code in MongoDB queries, potentially leading to data manipulation or unauthorized access. All applications using vulnerable Mongoose versions with $where queries and populate() operations are affected.

💻 Affected Systems

Products:
  • Mongoose ODM
Versions: All versions before 8.9.5
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications using $where queries with populate() operations. This is an incomplete fix for CVE-2024-53900.

📦 What is this software?

Mongoose by Mongoosejs

View all CVEs affecting Mongoose →

Mongoose by Mongoosejs

View all CVEs affecting Mongoose →

Mongoose by Mongoosejs

View all CVEs affecting Mongoose →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise allowing data exfiltration, modification, or deletion through arbitrary JavaScript execution in MongoDB queries.

🟠

Likely Case

Data manipulation or unauthorized access to database records through injection of malicious query logic.

🟢

If Mitigated

Limited impact with proper input validation and query sanitization in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires understanding of Mongoose query structure and access to vulnerable endpoints. No public exploit code available at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.9.5

Vendor Advisory: https://github.com/Automattic/mongoose/releases/tag/8.9.5

Restart Required: Yes

Instructions:

Update Mongoose package to version 8.9.5 or later
Run: npm update mongoose
Restart your application server
Test all $where queries with populate() operations

🔧 Temporary Workarounds

Disable $where queries

all

Temporarily disable or avoid using $where queries with populate() operations until patched

Input validation

all

Implement strict input validation and sanitization for all query parameters

🧯 If You Can't Patch

  • Implement strict input validation for all query parameters
  • Use Mongoose query sanitization middleware
  • Disable $where operator usage entirely
  • Implement network segmentation and database access controls

🔍 How to Verify

Check if Vulnerable:

Check package.json for mongoose version below 8.9.5 and review code for $where queries with populate()

Check Version:

npm list mongoose

Verify Fix Applied:

Verify mongoose version is 8.9.5 or higher and test vulnerable query patterns

📡 Detection & Monitoring

Log Indicators:

  • Unusual MongoDB query patterns with $where operators
  • JavaScript execution in database queries
  • Unexpected populate() operations

Network Indicators:

  • Abnormal database query patterns from application servers

SIEM Query:

source="application_logs" AND ("$where" OR "populate") AND severity="HIGH"

📊 Metadata

CVE ID: CVE-2025-23061
CVSS v3 Score: 9.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-94
EPSS Score: 64.79% exploit probability (98.4th percentile)
Published: January 15, 2025
Last Updated: October 31, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-23061, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)