Summary: Recent discoveries revealed two critical vulnerabilities in the Mongoose ODM library, which can lead to data theft and remote code execution (RCE) for applications utilizing MongoDB. The vulnerabilities, CVE-2024-53900 and CVE-2025-23061, stem from the improper handling of queries, allowing attackers to bypass security measures. Mongoose has released patches, and users are urged to upgrade to mitigate these vulnerabilities.
Affected: MongoDB applications using Mongoose ODM library
Keypoints :
- Two critical vulnerabilities identified in Mongoose, affecting MongoDB users.
- CVE-2024-53900 involves an SQL injection bug related to the use of the $where operator in match queries.
- CVE-2025-23061 is a bypass of the initial patch that still allows for RCE and potential data theft.
- Users are encouraged to upgrade to the latest Mongoose version (8.10.0) to avoid exploitation.
- OPSWAT’s report highlights the importance of keeping software dependencies up to date to prevent severe security risks.
Source: https://www.theregister.com/2025/02/20/mongoose_flaws_mongodb/