Posted on mongodb google news. Visit mongodb google news

Two critical flaws in the open-source Mongoose Object Data Modeling (ODM) library for MongoDB and Node.js, along with proof-of-concept (PoC) exploits for both vulnerabilities, were detailed in a blog post by OPSWAT on Thursday.  

The flaws are tracked as CVE-2024-53900 and CVE-2025-23061 and have critical CVSS 3 scores of 9.1 and 9.0, respectively.

CVE-2024-53900, which was first discovered and patched in November 2024, can lead to remote code execution (RCE) on the Node.js application server via search injection. CVE-2025-23061, fixed last month, is a bypass of the original patch for CVE-2024-53900, and can lead to RCE by slightly altering the exploit code.

Mongoose helps streamline interactions between MongoDB and Node.js applications and is widely used by application developers, having more than 27,000 stars and 3,800 forks on GitHub, and more than 19,000 dependents in the NPM package repository.

Both vulnerabilities involve the $where operator, which can be used with the populate() function to filter which data is retrieved from MongoDB documents to replace references and populate the application. The $where allows the execution of arbitrary JavaScript code to define specific data retrieval criteria, meaning malicious code could be executed if an attacker controls the input after the $where operator.

Attempting to execute malicious code on the MongoDB server using the $where operator would typically result in an error, noted OPSWAT, as execution on the MongoDB server is restricted to a predefined list of basic operations and functions.  

However, OPSWAT Critical Infrastructure Cybersecurity Graduate Fellow Dat Phung, who discovered both vulnerabilities, found that malicious code under the $where operator could be passed to a function within populate() known as sift(), which would lead the arbitrary code to be executed locally on the application server.

By crafting a query to ensure the request will be passed to sift(), while avoiding triggering the MongoDB server error by including a variable MongoDB does not recognize, Phung was able to achieve RCE on a Node.js application server.  

The Mongoose maintainers fixed the CVE-2024-53900 vulnerability in version 8.8.3, by disallowing the use of $where within the match property passed to populate(). However, Phung found that the $where operator could still be passed to populate() if it was nested within an $or operator, constituting the flaw tracked as CVE-2025-23061.

Phung developed a new PoC exploit showing that RCE could still be achieved on an application server by nesting $where inside an $or clause, despite the initial patch. This bypass flaw was fixed in Mongoose version 8.9.5, and OPSWAT recommends developers upgrade to the latest Mongoose versions to resolve both flaws.

Article originally posted on mongodb google news. Visit mongodb google news