Cyber Resilience

CVE-2025-23061

CriticalRCE

Published: 15 January 2025

Published
15 January 2025
Modified
31 October 2025
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.7186 98.8th percentile
Risk Priority 61 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23061 is a critical-severity Code Injection (CWE-94) vulnerability in Mongoosejs Mongoose. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Mongoose, an Object Document Mapper for MongoDB in Node.js applications, is affected by CVE-2025-23061 in versions prior to 8.9.5. The flaw allows improper handling of a nested $where filter when combined with a populate() match operation, resulting in search injection. This stems from an incomplete remediation of the earlier CVE-2024-53900 issue and is classified under CWE-94 with a CVSS 3.1 score of 9.0.

An unauthenticated remote attacker can supply a crafted query that triggers the injection condition through the populate mechanism. Successful exploitation can lead to arbitrary code execution or unauthorized data access, modification, and disruption within the affected MongoDB-backed application, with the attack vector rated as network-reachable but requiring high complexity.

The official Mongoose changelog, commit 64a9f9706f2428c49e0cfb8e223065acc645f7bc, and release 8.9.5 confirm that upgrading to version 8.9.5 or later resolves the incomplete fix and eliminates the search-injection path. The package is available on npm with the corrected versions listed. The associated EPSS score has reached a peak of 0.7424 and currently sits at 0.7186, indicating sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Code injection vulnerability in Mongoose (Node.js/MongoDB library) allows remote unauthenticated attackers to inject and execute arbitrary JavaScript via malicious $where filters in queries, directly enabling exploitation of public-facing applications and use of JavaScript interpreter for code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-42334Same product: Mongoosejs Mongoose
CVE-2026-25887Shared CWE-94
CVE-2026-41507Shared CWE-94
CVE-2026-43997Shared CWE-94
CVE-2026-1615Shared CWE-94
CVE-2026-33943Shared CWE-94
CVE-2026-33881Shared CWE-94
CVE-2026-4800Shared CWE-94
CVE-2026-25141Shared CWE-94
CVE-2025-26260Shared CWE-94

Affected Assets

mongoosejs
mongoose
≤ 6.13.6 · 7.0.0 — 7.8.4 · 8.0.0 — 8.9.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the search injection vulnerability by requiring timely remediation through upgrading Mongoose to version 8.9.5 or later, addressing the incomplete fix from CVE-2024-53900.

prevent

Prevents exploitation of the nested $where filter in populate() match by implementing input validation and error handling on user-supplied query parameters.

detect

Detects the presence of vulnerable Mongoose versions prior to 8.9.5 through vulnerability scanning, enabling proactive patching.

References