CVE-2025-23061

CRITICAL NUCLEI

Mongoose < 6.13.6 - Code Injection

Title source: rule

Description

Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

Exploits (1)

nomisec WORKING POC

by dajneem23 · poc

https://github.com/dajneem23/CVE-2025-23061

View Code ZIP pw:eip

Nuclei Templates (1)

Mongoose - NoSQL Injection

CRITICALVERIFIEDby NamhyunKo

Shodan: title:"Mongoose"

FOFA: title="Mongoose"

References (4)

[Release Notes] https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md

[Patch] https://github.com/Automattic/mongoose/commit/64a9f9706f2428c49e0cfb8e223065acc645f7bc

[Release Notes] https://github.com/Automattic/mongoose/releases/tag/8.9.5

[Product] https://www.npmjs.com/package/mongoose?activeTab=versions

Scores

CVSS v3 9.0

EPSS 0.5591

EPSS Percentile 98.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Classification

CWE

CWE-94

Status published

Affected Products (2)

mongoosejs/mongoose < 6.13.6

npm/mongoose < 8.9.5npm

Timeline

Published Jan 15, 2025

Tracked Since Feb 18, 2026