CVE-2025-23061
Published: 15 January 2025
Summary
CVE-2025-23061 is a critical-severity Code Injection (CWE-94) vulnerability in Mongoosejs Mongoose. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the search injection vulnerability by requiring timely remediation through upgrading Mongoose to version 8.9.5 or later, addressing the incomplete fix from CVE-2024-53900.
Prevents exploitation of the nested $where filter in populate() match by implementing input validation and error handling on user-supplied query parameters.
Detects the presence of vulnerable Mongoose versions prior to 8.9.5 through vulnerability scanning, enabling proactive patching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Code injection vulnerability in Mongoose (Node.js/MongoDB library) allows remote unauthenticated attackers to inject and execute arbitrary JavaScript via malicious $where filters in queries, directly enabling exploitation of public-facing applications and use of JavaScript interpreter for code execution.
NVD Description
Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.
Deeper analysisAI
CVE-2025-23061 is a search injection vulnerability in the Mongoose library for MongoDB and Node.js, affecting versions prior to 8.9.5. The issue arises from improper handling of a nested $where filter within a populate() match operation, which allows malicious input to alter query behavior. This flaw stems from an incomplete fix for the prior CVE-2024-53900 and is classified under CWE-94 (code injection), with a CVSS v3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to potential high-impact confidentiality, integrity, and availability effects across a changed scope. The vulnerability was published on 2025-01-15.
Remote, unauthenticated attackers (PR:N) with network access (AV:N) can exploit this vulnerability despite requiring high attack complexity (AC:H) and no user interaction (UI:N). By crafting a malicious query with a nested $where filter in a populate() match, attackers can inject code into search operations, potentially leading to arbitrary code execution, data exfiltration, modification, or denial of service, as reflected in the high CIA impacts and scope change.
Mitigation is addressed in Mongoose version 8.9.5, as detailed in the project's CHANGELOG.md, the fixing commit (64a9f9706f2428c49e0cfb8e223065acc645f7bc), and the release page. Security practitioners should upgrade to 8.9.5 or later via npm, where version details are available, to resolve the incomplete fix from CVE-2024-53900.
Details
- CWE(s)