Vulnerability Database

315,363

Total vulnerabilities in the database

CVE-2025-23061

Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

Published: Jan 15, 2025
Updated: Dec 29, 2025
CVE: CVE-2025-23061
GHSA: GHSA-vg7j-7cwx-8wgw
Severity: Critical
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWEs:

CWE-94

Affected Software
References

Software	From	Fixed in
mongoose	8.0.0-rc0	8.9.5
mongoose	7.0.0-rc0	7.8.4
mongoose	-	6.13.6
mongoosejs / mongoose	-	6.13.6
mongoosejs / mongoose	7.0.0	7.8.4
mongoosejs / mongoose	8.0.0	8.9.5

https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md
https://github.com/Automattic/mongoose/commit/64a9f9706f2428c49e0cfb8e223065acc645f7bc
https://github.com/Automattic/mongoose/compare/6.13.5...6.13.6
https://github.com/Automattic/mongoose/compare/7.8.3...7.8.4
https://github.com/Automattic/mongoose/compare/8.9.4...8.9.5
https://github.com/Automattic/mongoose/releases/tag/6.13.6
https://github.com/Automattic/mongoose/releases/tag/7.8.4
https://github.com/Automattic/mongoose/releases/tag/8.9.5
https://www.npmjs.com/package/mongoose?activeTab=versions

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo