Mongoose, a popular developer library for MongoDB, contains vulnerabilities. The bugs enable remote code execution. Developers are advised to update Mongoose immediately.
Researchers at Opswat discovered two vulnerabilities in Mongoose. Mongoose is widely used by developers to control MongoDB databases within Node.js applications. The discovered vulnerabilities could allow hackers to execute unauthorized code and gain access to sensitive data.
Two vulnerabilities
The first vulnerability, CVE-2024-53900, has to do with the way Mongoose uses the $where-query operator. A flaw in this functionality allows attackers to bypass MongoDB’s JavaScript restrictions and potentially execute code on the application server. This allows them to steal, manipulate or destroy data.
The second vulnerability, CVE-2025-23061, is older. This bug was partially fixed earlier, but still appears to be exploitable via an alternative method of attack. This can again lead to compromising the application server and the data stored in it.
Mongoose’s developers have released updates that fix both vulnerabilities. Users of the library should therefore install those updates as soon as possible. Mongoose 8.8.3 is susceptible to the bugs. New versions are fortunately already available with versions 8.9.5 and 8.10.0.