CVE-2024-53900
- Source
- https://cve.org/CVERecord?id=CVE-2024-53900
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-53900.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-53900
- Aliases
- Published
- 2024-12-02T20:15:08.347Z
- Modified
- 2026-02-16T10:41:42.896858Z
- Severity
-
- 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.
- References
-
- https://www.npmjs.com/package/mongoose?activeTab=versions
- https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md
- https://github.com/Automattic/mongoose/releases
- https://github.com/advisories/GHSA-m7xq-9374-9rvx
- https://github.com/Automattic/mongoose/commit/c9e86bff7eef477da75a29af62a06d41a835a156
Affected packages
Git / github.com/automattic/mongoose
Affected ranges
- Type
- GIT
- Repo
- https://github.com/automattic/mongoose
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroducedFixedIntroducedFixed
Affected versions
5.*
5.13.17
6.*
6.10.2
6.10.3
6.10.4
6.10.5
6.11.0
6.11.1
6.11.2
6.11.3
6.11.4
6.11.5
6.11.6
6.12.0
6.12.1
6.12.2
6.12.4
6.12.5
6.12.6
6.12.7
6.12.8
6.12.9
6.13.0
6.13.1
6.13.2
6.13.3
6.13.4
6.13.5
7.*
7.0.1
7.0.2
7.0.3
7.0.4
7.0.5
7.1.0
7.1.1
7.1.2
7.2.0
7.2.1
7.2.2
7.2.3
7.2.4
7.3.0
7.3.1
7.3.2
7.3.3
7.3.4
7.4.0
7.4.1
7.4.2
7.4.3
7.4.4
7.4.5
7.5.0
7.5.1
7.5.2
7.5.3
7.5.4
7.6.0
7.6.1
7.6.10
7.6.11
7.6.12
7.6.13
7.6.2
7.6.3
7.6.4
7.6.5
7.6.6
7.6.7
7.6.8
7.6.9
7.7.0
7.8.0
7.8.1
7.8.2
8.*
8.0.0
8.0.0-rc0
8.0.1
8.0.2
8.0.3
8.0.4
8.1.0
8.1.1
8.1.2
8.1.3
8.2.0
8.2.1
8.2.2
8.2.3
8.2.4
8.3.0
8.3.1
8.3.2
8.3.3
8.3.4
8.3.5
8.4.0
8.4.1
8.4.2
8.4.3
8.4.4
8.4.5
8.5.0
8.5.1
8.5.2
8.5.3
8.5.4
8.5.5
8.6.0
8.6.1
8.6.2
8.6.3
8.6.4
8.7.0
8.7.1
8.7.2
8.7.3
8.8.0
8.8.1
8.8.2