Mongoose - NoSQL Injection

NoSQL injection vulnerability in Mongoose 8.9.5 affecting the populate function's match option. This vulnerability exists due to an incomplete fix for CVE-2024-53900. While direct $where injection is blocked, attackers can bypass this protection by nesting $where operators within logical operator...

BIT-MONGOOSE-2025-23061

Mongoose before 8.9.5 can improperly use a nested $where filter with a populate match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900...

Exploit for CVE-2024-53900

CVE-2024-53900 - Mongoose populate.match $where RCE This r...

Search Injection

Mongoose is vulnerable to Search Injection. The vulnerability is due to improper handling of a nested $where filter with a populate match, allows the improper handling of a nested $where filter with a populate match, which can be exploited for search injection attacks...

CVE-2025-23061

Mongoose before 8.9.5 can improperly use a nested $where filter with a populate match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900...

PT-2025-4804

Name of the Vulnerable Software and Affected Versions Mongoose versions prior to 8.9.5 Mongoose versions prior to 7.8.4 Mongoose versions prior to 6.13.6 Description Mongoose is susceptible to a search injection issue due to the improper handling of nested $where filters when used with populate...