Описание
Mongoose search injection vulnerability
Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.
NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2025-23061
- https://github.com/Automattic/mongoose/commit/64a9f9706f2428c49e0cfb8e223065acc645f7bc
- https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md
- https://github.com/Automattic/mongoose/compare/6.13.5...6.13.6
- https://github.com/Automattic/mongoose/compare/7.8.3...7.8.4
- https://github.com/Automattic/mongoose/compare/8.9.4...8.9.5
- https://github.com/Automattic/mongoose/releases/tag/6.13.6
- https://github.com/Automattic/mongoose/releases/tag/7.8.4
- https://github.com/Automattic/mongoose/releases/tag/8.9.5
- https://github.com/advisories/GHSA-m7xq-9374-9rvx
- https://www.npmjs.com/package/mongoose?activeTab=versions
Пакеты
mongoose
>= 8.0.0-rc0, < 8.9.5
8.9.5
mongoose
>= 7.0.0-rc0, < 7.8.4
7.8.4
mongoose
< 6.13.6
6.13.6
Связанные уязвимости
Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.
Уязвимость функции populate() библиотеки Mongoose, позволяющая нарушителю выполнить произвольный код и получить доступ на чтение и изменение данных