Miggo Logo
Miggo Vulnerability Database
CVE-2025-23061

CVE-2025-23061: Mongoose search injection vulnerability

9.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-23061
GHSA ID
GHSA-vg7j-7cwx-8wgw
EPSS Score
0.25395%
CWE
CWE-94
Published
1/15/2025
Updated
1/17/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
mongoosenpm>= 8.0.0-rc0, < 8.9.58.9.5
mongoosenpm>= 7.0.0-rc0, < 7.8.47.8.4
mongoosenpm< 6.13.66.13.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper validation of the $where operator in populate() match clauses. The original code in getModelsMapForPopulate.js checked for $where at the top level or in arrays but failed to recursively inspect nested objects (e.g., $or, $and). The patch introduced a recursive throwOn$where function to address this. The affected functions (getModelsMapForPopulate and _virtualPopulate) processed the match parameter without this recursive check in vulnerable versions, making them entry points for injection. The commit diff and CVE description explicitly reference this population match handling as the flawed component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Mon*oos* v*rsions prior to *.*.*, *.*.*, *n* *.**.* *r* vuln*r**l* to improp*r us* o* t** `$w**r*` op*r*tor. T*is vuln*r**ility *ris*s *rom t** **ility o* t** `$w**r*` *l*us* to *x**ut* *r*itr*ry J*v*S*ript *o** in Mon*o** qu*ri*s, pot*nti*lly l***in

Reasoning

T** vuln*r**ility st*ms *rom improp*r v*li**tion o* t** `$w**r*` op*r*tor in `popul*t*()` m*t** *l*us*s. T** ori*in*l *o** in **tMo**lsM*p*orPopul*t*.js ****k** *or `$w**r*` *t t** top l*v*l or in *rr*ys *ut **il** to r**ursiv*ly insp**t n*st** o*j**
CVE-2025-23061: Mongoose $where Code Injection | Miggo