Posted on mongodb google news. Visit mongodb google news

Security sleuths found two critical vulnerabilities in a third-party library that MongoDB relies on, which means bad guys can potentially steal data and run code.

Mongoose is an Object Data Modeling (ODM) library for MongoDB to enable database integrations in Node.js applications. It allows JavaScript objects to be mapped to MongoDB documents, providing an abstraction layer to help with the management and validation of structured data. Mongoose has 19,593 dependents, according to its Node Package Manager page, and over 27,000 stars on GitHub.

It also has two critical security flaws, researchers at OPSWAT revealed today, threatening the integrity of data stored in MongoDB and opening it up to theft, manipulation, or destruction. 

First up is CVE-2024-53900 (9.1), a classic SQL injection bug that adds to the pile already causing US security agencies to fume.

The vulnerability hinged on the mechanics of Mongoose’s populate() method and the library allowing the $where operator to be used in match queries. A specially crafted query could bypass MongoDB’s server-side JavaScript restrictions and potentially lead to remote code execution (RCE). It meant attackers could access, manipulate, or exfiltrate data in MongoDB they ordinarily shouldn’t be able to.

Dat Phung, a researcher from Vietnam and distinguished fellow at OPSWAT’s Critical Infrastructure Cybersecurity Graduate Fellowship Program, reported the vulnerability in early November, and Mongoose patched it in version 8.8.3, disallowing the use of $where in match queries.

On December 17, Phung discovered a bypass in the patched version that still allowed for RCE and could lead to data theft. Mongoose addressed this second discovery in version 8.9.5 and the National Vulnerability Database (NVD) assigned it a separate identifier: CVE-2025-23061 (9.0).

It turns out the initial patch (8.8.3) only blocked the use of $where in a single nested level, but Phung realized that if $where was embedded inside an $or operator, then the patch could be bypassed and MongoDB data could then be compromised.

OPSWAT’s report noted: “Mongoose inspects only the top-level properties of each object in the match array, the bypass payload remains undetected and eventually reaches the sift library, enabling the malicious RCE.”

According to Mongoose’s NPM page, in just the last seven days version 8.8.3 was downloaded more than 38,500 times, suggesting the attack surface remains sizable. The downloads for 8.9.5 stand at just over 250,000 for the same period, however, and the most up-to-date version (8.10.0) has more than 452,000 downloads.

OPSWAT advised all users to upgrade to the latest version of Mongoose to mitigate the threat. The vendor released proof-of-concept exploits for both vulnerabilities today, too, which means there’s all the more reason to apply the fixes before attackers get their mitts on the blueprints.

In a heavily simplified summary of the findings, supplied to The Register, it said: “Building apps is like building with LEGO bricks – you use lots of small pieces to make something big. But if even one brick is broken, the whole thing could fall apart. 

“That’s what happens when developers use tools like Mongoose or MongoDB but don’t check for updates or fixes. It’s not their fault, but it’s a lesson in why keeping tools up to date is so important.

“Bugs in software like Mongoose might sound like a small problem, but they can have a ripple effect if hackers find and use them first.” ®

Article originally posted on mongodb google news. Visit mongodb google news