Two critical-severity vulnerabilities in the Mongoose Object Data Modeling (ODM) library for MongoDB could have allowed attackers to achieve remote code execution (RCE) on the Node.js application server, cybersecurity platform OPSWAT reports.
Widely adopted in production environments, Mongoose enables the mapping of JavaScript objects to MongoDB documents, leading to easier data management and validation. However, the function that improves working with relationships between documents could be exploited for RCE.
The first of the critical-severity flaws in the library, tracked as CVE-2024-53900, could allow an attacker to exploit the $where value to potentially achieve RCE on Node.js. The second issue, tracked as CVE-2025-23061, is a bypass for CVE-2024-53900’s patch.
As OPSWAT explains, $where is a MongoDB query operator that enables the execution of JavaScript directly on the MongoDB server, but with certain limitations.
When processing retrieved data, one of Mongoose’s functions would pass the $where value to a function imported from an external library, which would process the queries locally on the application server, without performing input validation.
“This lack of input validation and restriction introduces a significant security vulnerability, as the ‘params’ value- directly controlled by user input – can be exploited, potentially leading to code injection attacks,” OPSWAT notes.
The patch for CVE-2024-53900 added a check to disallow passing the $where operator to the vulnerable function, thus preventing the execution of malicious payloads.
However, the patch could be bypassed by embedding the $where operator in the $or operator supported by both MongoDB and the vulnerable function.
“As a result, an attacker can nest $where under $or to evade the patch’s single-level check. Because Mongoose inspects only the top-level properties of each object in the match array, the bypass payload remains undetected and eventually reaches the sift library, enabling the malicious RCE,” OPSWAT notes.
The cybersecurity organization has released proof-of-concept (PoC) exploit code targeting both vulnerabilities and recommends updating Mongoose to version 8.9.5 or later, which contain complete patches for the two bugs.
Related: Atlassian Patches Critical Vulnerabilities in Confluence, Crowd
Related: OpenSSH Patches Vulnerabilities Allowing MitM, DoS Attacks
Related: Chrome 133, Firefox 135 Updates Patch High-Severity Vulnerabilities
Related: Critical Vulnerability Patched in Juniper Session Smart Router
