Critical flaws reported in Mongoose library exposes MongoDB to SQL injection, RCE
Take action: If you are using Mongoose library, review the advisory in detail. Ideally update your Mongoose to the latest available version, or at least make a proper risk assessment.
Learn More
OPSWAT researchers are reporting two critical vulnerabilities in Mongoose, a widely-used Object Data Modeling (ODM) library connecting MongoDB and Node.js applications.
- CVE-2024-53900 (CVSS score 9.1) - SQL Injection leading to Remote Code Execution exploiting Mongoose's populate() method and $where operator
- CVE-2025-23061 (CVSS score 9.0) - Remote Code Execution through patch bypass, leveraging nested $where operators within $or clauses. As OPSWAT noted: "Mongoose inspects only the top-level properties of each object in the match array, the bypass payload remains undetected and eventually reaches the sift library, enabling the malicious RCE."
The vulnerabilities could allow attackers to execute malicious code on the application server, access, manipulate, or exfiltrate data from MongoDB databases, potentially gain control of parts of the application, embed malicious code inside organizations' MongoDB databases or corrupt or destroy stored data
Affected Versions are
- All versions prior to 8.8.3 (for CVE-2024-53900)
- Versions 8.8.3 through 8.9.4 (for CVE-2025-23061)
Fixed Versions:
- Version 8.8.3 (partial fix for first vulnerability)
- Version 8.9.5 (complete fix for both vulnerabilities)
- Current version 8.10.0 (recommended)
Users are advised to update their Mongoose to at least version 8.9.5, ideally to the latest available version.
