studio icon indicating copy to clipboard operation
studio copied to clipboard

Published 20 hours ago verified publisher icon mathigon

mongoose-8.5.2.tgz: 2 vulnerabilities (highest severity is: 9.1)

Open mend-for-github-com[bot] opened this issue 11 months ago • 2 comments

Vulnerable Library - mongoose-8.5.2.tgz

Library home page: https://registry.npmjs.org/mongoose/-/mongoose-8.5.2.tgz

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (mongoose version) Remediation Possible** Reachability
CVE-2024-53900 Critical 9.1 mongoose-8.5.2.tgz Direct 8.8.4
CVE-2025-23061 Critical 9.0 mongoose-8.5.2.tgz Direct mongoose - 6.13.6,7.8.4,8.9.5

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-53900

Vulnerable Library - mongoose-8.5.2.tgz

Library home page: https://registry.npmjs.org/mongoose/-/mongoose-8.5.2.tgz

Dependency Hierarchy:

  • :x: mongoose-8.5.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.

Publish Date: 2024-12-02

URL: CVE-2024-53900

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-53900

Release Date: 2024-12-02

Fix Resolution: 8.8.4

CVE-2025-23061

Vulnerable Library - mongoose-8.5.2.tgz

Library home page: https://registry.npmjs.org/mongoose/-/mongoose-8.5.2.tgz

Dependency Hierarchy:

  • :x: mongoose-8.5.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

Publish Date: 2025-01-15

URL: CVE-2025-23061

CVSS 3 Score Details (9.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-01-15

Fix Resolution: mongoose - 6.13.6,7.8.4,8.9.5

mend-for-github-com[bot] avatar Dec 03 '24 18:12 mend-for-github-com[bot]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-for-github-com[bot] avatar Dec 06 '24 19:12 mend-for-github-com[bot]

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

mend-for-github-com[bot] avatar Dec 10 '24 12:12 mend-for-github-com[bot]