Volerion logoVolerion
Volerion logoVolerion

Mongoose Search Injection Vulnerability via Nested $where Filters in populate() Matches

Vulnerability

A search injection vulnerability has been identified in Mongoose versions prior to 8.9.5. This issue arises from the improper handling of nested $where filters used in conjunction with the populate() method, allowing for potential search injection attacks.

Impact

Exploitation of this vulnerability could lead to search injection, where an attacker manipulates query behavior to achieve unintended results.

Reproduction

The vulnerability can be reproduced by using a version of Mongoose prior to 8.9.5 and applying a nested $where filter within a populate() match. This can be done by creating a model with a population relationship, then querying that model while specifying a $where condition that, for example, logs a message to the console.

Remediation

Users can upgrade to Mongoose version 8.9.5 or later, where this vulnerability has been fixed.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
6.6
impact
1.3
exploitability
5.7
remediation
7.7
relevance
0.0
threat
5.9
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.