Mongoose, which facilitates the mapping of JavaScript objects to MongoDB documents, boasts over 19,593 dependents and more than 27,000 stars on GitHub, highlighting its widespread use.

Mongoose's handling of user-controlled input is particularly risky, as it passes the $where value to an external library function without proper checks.

This vulnerability arises because the initial patch only blocked the $where operator at a single nested level, allowing it to be embedded within an $or operator to bypass security measures.

A second vulnerability, CVE-2025-23061, was identified after a bypass in the initial patch for CVE-2024-53900 was discovered, prompting Mongoose to issue an updated patch in version 8.9.5.

In light of these vulnerabilities, OPSWAT has released proof-of-concept exploit code and strongly advises all users to update to Mongoose version 8.9.5 or later for complete protection.

The $where operator allows JavaScript execution on the MongoDB server, but its limitations were exploited due to insufficient input validation in Mongoose.

Recent findings from cybersecurity platform OPSWAT reveal two critical vulnerabilities in the Mongoose ODM library for MongoDB, which could allow remote code execution on Node.js servers.

The first vulnerability, tracked as CVE-2024-53900, enables attackers to exploit the $where operator, potentially leading to arbitrary code execution.

These incidents underscore the critical importance of keeping software tools up to date to prevent security breaches, regardless of how minor the flaws may seem.

The Mongoose library, essential for MongoDB and widely used in Node.js applications, has seen significant downloads, with version 8.9.5 alone surpassing 250,000 downloads, indicating a large attack surface.

OPSWAT's report highlighted that Mongoose only inspects top-level properties in match arrays, allowing malicious payloads to evade detection and reach the sift library.

The vulnerabilities stem from the use of the populate() method and the $where operator in match queries, which could lead to unauthorized access and data manipulation.