CVE-2024-53900

CRITICAL EXPLOITED NUCLEI LAB

mongoosejs/mongoose < 6.13.5 and >=8.0.0-rc0 <8.8.3 - Search Injection via $where in Match

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2024-53900 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including AikidoSec, www-spam, Gokul-Krishnan-V-R. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains functional exploit PoCs for multiple CVEs, including a JavaScript injection vulnerability (AIKIDO-2026-10165) and a path traversal vulnerability (CVE-2014-3744). The PoCs demonstrate the vulnerabilities and validate that the Aikido Zen Firewall blocks them.

Description

Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.

Exploits (3)

github WORKING POC 6 stars
by AikidoSec · javascriptpoc
https://github.com/AikidoSec/zen-0-days/tree/main/node/CVE-2024-53900

This repository contains functional exploit PoCs for multiple CVEs, including a JavaScript injection vulnerability (AIKIDO-2026-10165) and a path traversal vulnerability (CVE-2014-3744). The PoCs demonstrate the vulnerabilities and validate that the Aikido Zen Firewall blocks them.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Node.js applications using @enspirit/elo and st modules
No auth needed
Prerequisites: Node.js environment · Docker for containerized testing
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC
by www-spam · infoleak
https://github.com/www-spam/CVE-2024-53900

This repository provides a functional PoC for CVE-2024-53900, demonstrating RCE in Mongoose < 8.8.3 via `populate().match` combined with `$where` injection. It includes a vulnerable Node.js app, automated exploit script, and Nuclei template for testing.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Mongoose < 8.8.3
No auth needed
Prerequisites: MongoDB instance · Vulnerable Mongoose version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Gokul-Krishnan-V-R · poc
https://github.com/Gokul-Krishnan-V-R/CVE-2024-53900

This repository contains a CTF challenge demonstrating CVE-2024-53900, a vulnerability in Mongoose that allows Remote Code Execution (RCE) due to improper use of the `$where` operator in MongoDB queries. The provided code includes a vulnerable Express.js server and a frontend for exploiting the vulnerability.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Mongoose (specific version not specified)
No auth needed
Prerequisites: Node.js · MongoDB
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Mongoose < 8.8.3 - Remote Code Execution
CRITICALVERIFIEDby h4mg
Shodan: Server: Mongoose

References (5)

Core 5

Scores

CVSS v3 9.1
EPSS 0.0391
EPSS Percentile 88.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull mongo:6
docker pull mongo:5
+1 more repos

Details

VulnCheck KEV 2025-11-27
CWE
CWE-89
Status published
Products (4)
mongoosejs/mongoose 7.0.0 rc0
mongoosejs/mongoose 8.0.0 rc0
mongoosejs/mongoose < 6.13.5
npm/mongoose 8.0.0-rc0 - 8.8.3npm
Published Dec 02, 2024
Tracked Since Feb 18, 2026