A researcher has uncovered two related vulnerabilities in a popular developer library used to connect applications and MongoDB that could allow hackers to sneak into your database.
Mongoose is an object data modeling (ODM) library for MongDB that connects it to the Node.js runtime environment, essentially simplifying interactions between applications and MongoDB databases
The flaws were discovered by Dat Phung, a member of OPSWAT’s fellowship program, who chose examining Mongoose due to its widespread use in production environments.
OPSWAT explained the potential severity of the flaws in a blog, noting the number of businesses that use Mongoose for their MongoDB databases.
“Many businesses use Mongoose and MongoDB to build their apps. If hackers break in, they could cause serious functionality problems and, worse, put critical data at risk of theft, manipulation, or destruction.”
During his analysis, Phung discovered CVE-2024-53900, a remote code execution (RCE) flaw that exploits Mongoose’s $where operator that enables JavaScript execution directory on the MongoDB server.
Phung warned that the flaw could be used by attackers to query the database to run malicious commands on the Node.js application server, which thereafter could allow them to steal data or even take control of part of the application itself.
He submitted a security report disclosing the flaw to Snyk on 7 November and Mongoose released a new version of 8.8.3 which addressed the issue later that month.
But when Phung took a closer look at the patch he found a potential bypass that would still enable RCE on the application server.
With the new flaw, CVE-2025-23061, Phung demonstrated that by nesting the $where operator inside an $or clause, he was able to bypass the new single-level checks introduced by Mongoose to mitigate CVE-2024-53900 and achieve RCE.
The proof-of-concept exploit developed by Phung showed that CVE-2025-23061, which was assigned a 9.0 severity rating under the MITRE framework, could be triggered in Mongoose versions prior to 8.9.5 (later than 8.8.3) and disclosed the new vulnerability via Tidelift.
OPSWAT warned that these vulnerabilities could be exploited by attackers to embed malicious code inside the organization’s MongoDB database, as well as steal or corrupt data stored in MongoDB.
It advised businesses to update their instances of Mongoose immediately to the latest version immediately.
