Mongoose - NoSQL Injection

NoSQL injection vulnerability in Mongoose 8.9.5 affecting the populate function's match option. This vulnerability exists due to an incomplete fix for CVE-2024-53900. While direct $where injection is blocked, attackers can bypass this protection by nesting $where operators within logical operator...

BIT-MONGOOSE-2025-23061

Mongoose before 8.9.5 can improperly use a nested $where filter with a populate match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900...

PT-2025-4804

Name of the Vulnerable Software and Affected Versions Mongoose versions prior to 8.9.5 Mongoose versions prior to 7.8.4 Mongoose versions prior to 6.13.6 Description Mongoose is susceptible to a search injection issue due to the improper handling of nested $where filters when used with populate...

rubygem-activerecord: SQL injection when processing nested query paramaters (a different flaw than CVE-2012-2661)

The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query...