Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-23061 PoC — Mongoose 代码注入漏洞

Source
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-23061.yaml
Associated Vulnerability
Title:Mongoose 代码注入漏洞 (CVE-2025-23061)
Description:Mongoose是Automattic开源的一个 MongoDB 对象建模,旨在在异步环境中工作。 Mongoose 8.9.5之前版本存在代码注入漏洞,该漏洞源于错误地使用嵌套的过滤器和populate()匹配,从而导致搜索注入。
Description
NoSQL injection vulnerability in Mongoose < 8.9.5 affecting the populate() function's match option. This vulnerability exists due to an incomplete fix for CVE-2024-53900. While direct $where injection is blocked, attackers can bypass this protection by nesting $where operators within logical operators like $and, allowing execution of arbitrary JavaScript code on MongoDB server, bypassing authentication, and accessing sensitive administrative data.
File Snapshot

 id: CVE-2025-23061

info:
  name: Mongoose - NoSQL Injection
  author: NamhyunKo
  severity: critica

...
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.