CVE-2025-23061: 
JavaScript vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-23061) was discovered in Mongoose before version 8.9.5, affecting its populate() match functionality. The vulnerability allows improper use of a nested $where filter with a populate() match, leading to search injection. This issue exists as a result of an incomplete fix for a previous vulnerability (CVE-2024-53900). The vulnerability was disclosed on January 15, 2025, and affects all versions of Mongoose prior to 8.9.5 (NVD, Red Hat).

The vulnerability has been assigned a CVSS v3.1 base score of 9.0 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H. The issue is classified as CWE-94 (Improper Control of Generation of Code - 'Code Injection'). The vulnerability specifically involves the improper handling of nested $where filters when used in conjunction with the populate() match functionality, which could allow attackers to perform search injection attacks (NVD, Security Online).

With approximately 2.7 million weekly downloads, this vulnerability poses a significant risk to applications using affected Mongoose versions. The critical CVSS score of 9.0 indicates that successful exploitation could lead to severe consequences, potentially allowing attackers to inject malicious search queries and gain unauthorized access to sensitive data (Security Online).

Users should immediately upgrade to Mongoose version 8.9.5 or later, which contains the fix for this vulnerability. The fix involves implementing proper validation and restrictions on nested $where filters in populate() match operations (Mongoose Changelog, Mongoose Release).