CVE-2025-23061 Information

Description

Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

Reference

https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md https://github.com/Automattic/mongoose/commit/64a9f9706f2428c49e0cfb8e223065acc645f7bc https://github.com/Automattic/mongoose/releases/tag/8.9.5 https://www.npmjs.com/package/mongoose?activeTab=versions