Mongoose, an Object Data Modeling library for MongoDB, contains two critical vulnerabilities that pose risks of data theft and remote code execution. The issues, highlighted by OPSWAT researchers, originated from flaws in the populate() method and how the library handled match queries. The first vulnerability (CVE-2024-53900) was patched in version 8.8.3, but a second flaw was discovered shortly after in December, leading to an incomplete fix. Mongoose's developers addressed these vulnerabilities in subsequent updates, illustrating ongoing challenges in maintaining security for widely-used libraries.
In early November, a researcher discovered a critical SQL injection vulnerability in Mongoose, allowing potential remote code execution and data theft if exploited.
Mongoose has patched two critical vulnerabilities, but researchers noted that the initial fix in version 8.8.3 was incomplete, leading to a second vulnerability discovery.
Collection
[
|
...
]