CVE-2025-23061

Critical CVSS: 9.0

Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

Vendor

Mongoosejs

Product

Mongoose

CWE

CWE-94

Yayın Tarihi

2025-01-15 05:15:10

Güncelleme

2025-10-31 18:56:04

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-94 Mongoose CRITICAL Mongoosejs 2025

Referanslar

https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md https://github.com/Automattic/mongoose/commit/64a9f9706f2428c49e0cfb8e223065acc645f7bc https://github.com/Automattic/mongoose/releases/tag/8.9.5 https://www.npmjs.com/package/mongoose?activeTab=versions

Benzer Kayıtlar

Medium

CVE-2026-2967

A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This affects the function getpeer of the file…

Medium

CVE-2026-2968

A vulnerability was detected in Cesanta Mongoose up to 7.20. This impacts the function mg_chacha20_poly1305_decrypt of t…

Medium

CVE-2026-2966

A weakness has been identified in Cesanta Mongoose up to 7.20. The impacted element is the function mg_sendnsreq of the…

Medium

CVE-2025-65502

Null pointer dereference in add_ca_certs() in Cesanta Mongoose before 7.2 allows remote attackers to cause a denial of s…

High

CVE-2025-51495

An integer overflow vulnerability exists in the WebSocket component of Mongoose 7.5 thru 7.17. By sending a specially cr…