Summary: Two critical vulnerabilities in the Mongoose ODM library for MongoDB could allow remote code execution (RCE) on Node.js servers. These flaws, CVE-2024-53900 and CVE-2025-23061, exploit insufficient input validation when using the $where operator. A patch is available, but the second vulnerability allows a bypass of the initial fix, prompting immediate updates to Mongoose.
Affected: Mongoose ODM library for MongoDB
Keypoints :
- Critical vulnerabilities may allow attackers to execute remote code on Node.js application servers.
- The patch for CVE-2024-53900 can be bypassed by embedding the $where operator within the $or operator.
- Users are urged to update to Mongoose version 8.9.5 or later to ensure protection against these vulnerabilities.
Source: https://www.securityweek.com/vulnerabilities-in-mongodb-library-allow-rce-on-node-js-servers/