A researcher has uncovered two related vulnerabilities in a popular developer library used to connect applications and MongoDB that could allow hackers to sneak into your database.
Mongoose is an object data modeling (ODM) library for MongoDB that connects it to the Node.js runtime environment, essentially simplifying interactions between applications and MongoDB databases
The flaws were discovered by Dat Phung, a member of OPSWAT’s fellowship program, who chose examining Mongoose due to its widespread use in production environments.
OPSWAT explained the potential severity of the flaws in a blog, noting the number of businesses that use Mongoose for their MongoDB databases.
“Many businesses use Mongoose and MongoDB to build their apps. If hackers break in, they could cause serious functionality problems and, worse, put critical data at risk of theft, manipulation, or destruction.”
During his analysis, Phung discovered CVE-2024-53900, a remote code execution (RCE) flaw that exploits Mongoose’s $where operator that enables JavaScript execution directory on the MongoDB server.
Phung warned that the flaw could be used by attackers to query the database to run malicious commands on the Node.js application server, which thereafter could allow them to steal data or even take control of part of the application itself.
He submitted a security report disclosing the flaw to Snyk on 7 November and Mongoose released a new version of 8.8.3 which addressed the issue later that month.
But when Phung took a closer look at the patch he found a potential bypass that would still enable RCE on the application server.
With the new flaw, CVE-2025-23061, Phung demonstrated that by nesting the $where operator inside an $or clause, he was able to bypass the new single-level checks introduced by Mongoose to mitigate CVE-2024-53900 and achieve RCE.
RELATED WHITEPAPER
The proof-of-concept exploit developed by Phung showed that CVE-2025-23061, which was assigned a 9.0 severity rating under the MITRE framework, could be triggered in Mongoose versions prior to 8.9.5 (later than 8.8.3) and disclosed the new vulnerability via Tidelift.
OPSWAT warned that these vulnerabilities could be exploited by attackers to embed malicious code inside the organization's MongoDB database, as well as steal or corrupt data stored in MongoDB.
It advised businesses to update their instances of Mongoose immediately to the latest version immediately.
MORE FROM ITPRO
- Open source vulnerabilities dominated 2023, and this year looks no different
- Open source malware surged by 156% in 2024
- The Zservers takedown is another big win for law enforcement
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
Redis unveils new tools for developers working on AI applicationsNews Redis has announced new tools aimed at making it easier for AI developers to build applications and optimize large language model (LLM) outputs.
-
Open source security in the spotlight as UK gov publishes fresh guidanceNews The UK government has issued guidance on how organizations should manage their use of open source software components and mitigate supply chain risks.
-
‘Awesome for the community’: DeepSeek open sourced its code repositories, and experts think it could give competitors a scareNews Challenger AI startup DeepSeek has open-sourced some of its code repositories in a move that experts told ITPro puts the firm ahead of the competition on model transparency.
-
86% of enterprise codebases contain open source vulnerabilitiesNews Research from Black Duck’s annual open source security report found 86% of codebases contained open source vulnerabilities.
-
Want a return on your AI investment? Open source could be the key to success
News Organizations using open source AI tools are more likely to report a return on investment
-
The open source industry is booming as firms invest billions in ecosystem each yearNews Four-in-ten firms contribute open source code on a daily basis
-
AI 'slop security reports' are driving open source maintainers madNews Low-quality, LLM-generated reports should be treated as if they are malicious, according to one expert
-
"Markets do not stand still": The UK needs to up its game to fend off open source competitionNews Investment in the open source ecosystem needs to increase alongside broader government support
