Mongoose search injection vulnerability
Critical severity
GitHub Reviewed
Published
Jan 15, 2025
to the GitHub Advisory Database
•
Updated Jan 16, 2025
Description
Published by the National Vulnerability Database
Jan 15, 2025
Published to the GitHub Advisory Database
Jan 15, 2025
Reviewed
Jan 16, 2025
Last updated
Jan 16, 2025
Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.
References