CVE-2025-23061
Published: 15 January 2025
Summary
CVE-2025-23061 is a critical-severity Code Injection (CWE-94) vulnerability in Mongoosejs Mongoose. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Mongoose, an Object Document Mapper for MongoDB in Node.js applications, is affected by CVE-2025-23061 in versions prior to 8.9.5. The flaw allows improper handling of a nested $where filter when combined with a populate() match operation, resulting in search injection. This stems from an incomplete remediation of the earlier CVE-2024-53900 issue and is classified under CWE-94 with a CVSS 3.1 score of 9.0.
An unauthenticated remote attacker can supply a crafted query that triggers the injection condition through the populate mechanism. Successful exploitation can lead to arbitrary code execution or unauthorized data access, modification, and disruption within the affected MongoDB-backed application, with the attack vector rated as network-reachable but requiring high complexity.
The official Mongoose changelog, commit 64a9f9706f2428c49e0cfb8e223065acc645f7bc, and release 8.9.5 confirm that upgrading to version 8.9.5 or later resolves the incomplete fix and eliminates the search-injection path. The package is available on npm with the corrected versions listed. The associated EPSS score has reached a peak of 0.7424 and currently sits at 0.7186, indicating sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-0106
Vulnerability details
Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Code injection vulnerability in Mongoose (Node.js/MongoDB library) allows remote unauthenticated attackers to inject and execute arbitrary JavaScript via malicious $where filters in queries, directly enabling exploitation of public-facing applications and use of JavaScript interpreter for code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the search injection vulnerability by requiring timely remediation through upgrading Mongoose to version 8.9.5 or later, addressing the incomplete fix from CVE-2024-53900.
Prevents exploitation of the nested $where filter in populate() match by implementing input validation and error handling on user-supplied query parameters.
Detects the presence of vulnerable Mongoose versions prior to 8.9.5 through vulnerability scanning, enabling proactive patching.