Recently, OPSWAT analyzed the Proof of Concept (PoC) for two critical vulnerabilities, CVE-2024-53900 and CVE-2025-23061, in Mongoose, the Object Data Modeling (ODM) library for MongoDB and Node.js, on their blog. When exposed to the internet, Mongoose can pose serious security risks, including unauthorized access, data leakage, NoSQL injection, remote code execution (RCE), and DDoS attacks. Both vulnerabilities have high CVSS v3 scores of 9.1 and 9.0, respectively, and can lead to RCE. This post will explore how to use Criminal IP Asset Search to detect exposed Mongoose instances on the internet and assess their security risks.
PoC of Mongoose RCE Vulnerabilities: CVE-2024-53900 & CVE-2025-23061
Mongoose simplifies the interaction between MongoDB and Node.js applications. According to OPSWAT’s analysis, the two vulnerabilities are related to the $where operator. When used with the populate() function, the $where operator allows querying data within MongoDB documents. It is also a MongoDB query operator capable of executing arbitrary JavaScript code, enabling the definition of specific data retrieval criteria. If an attacker exploits the $where operator to manipulate a query, the MongoDB server may fail to recognize it, allowing malicious code to execute locally on the application server. OPSWAT researchers successfully executed remote code on a Node.js application server by crafting a query that avoided causing a MongoDB server error.
The vulnerability CVE-2024-53900 was patched in Mongoose 8.8.3 by preventing the $where operator from being used within the match attribute. However, it was later found that the $where operator could still be passed to the populate() function when nested within the $or operator, leading to the new vulnerability CVE-2025-23061. This issue was fixed in Mongoose 8.9.5, and users are advised to update to the latest version to address both vulnerabilities.
Vulnerable Versions of Mongoose
- CVE-2024-53900: versions prior to 8.8.3
- CVE-2025-23061: versions prior to 8.9.5
Security Threats of Exposed Mongoose Instances
Exposing Mongoose to the internet can lead to critical security threats, including the vulnerabilities mentioned above, unauthorized access, data leakage, NoSQL injection, RCE, and DDoS attacks.
| Security Threat | Detailed Information |
|---|---|
| Unauthorized Access | Mongoose is typically connected to MongoDB, and without proper security configurations, external access to the database is possible. In MongoDB, if security settings are not configured, it allows connections without authentication, and attackers can manipulate data using commands like find(), update(), and delete(). |
| Data Leakage | When databases managed by Mongoose are exposed externally, attackers can exploit API endpoints to leak sensitive information. In particular, there is a high risk of exposing user data, account information, and confidential data. |
| NoSQL Injection Attacks | When Mongoose is exposed to the internet, attackers can manipulate the database through NoSQL injection. For example, if an attacker inputs a payload like { “$gt”: “” } into the login API, they can bypass authentication. |
| Remote Code Execution & Server Control Risks | Attackers can execute arbitrary code within the server through Mongoose. If functions such as eval(), exec(), or improperly executed queries are present, attackers may gain control over the server. |
| DDoS Attack Risks | A large volume of random requests from an attacker could overload the server using Mongoose, causing a service downtime. |
When MongoDB and Mongoose are exposed to the internet, serious security threats can arise. Therefore, users must continuously check the security status and monitor exposure.
Exploring Exposed Mongoose on the Internet
Exposed Mongoose instances can be easily identified using Criminal IP Asset Search.
Criminal IP Search Query: Mongoose product: “mongoose”
As of March 13, 2025, over 27,000 Mongoose instances exposed to the internet have been identified, along with numerous vulnerable versions affected by CVE. Simply searching for ‘mongoose’ in Asset Search will reveal whether an IP address is affected by the CVE and which version is in use.
Furthermore, by navigating to the IP Report page for a specific IP address, you can view the vulnerabilities it is affected by, along with its exploit history. Additional details, such as open ports, the IP address location, and WHOIS information, are also available.
FAQ
Q1. What causes Mongoose to be exposed to the internet?
Mongoose’s exposure to the internet is mainly due to configuration errors and insufficient security. Key factors include incorrect MongoDB network settings, lack of authentication and authorization, security vulnerabilities in the application code, and inadequate firewall configurations allowing external access.
Q2. How can Mongoose exposure be prevented?
To protect MongoDB and the Mongoose ODM from exposure to the internet, it is crucial to strengthen network configurations, implement proper authentication and authorization, enhance application security, apply firewalls, and continuously monitor using cybersecurity threat intelligence (TI) search engines and attack surface management (ASM) solutions.
- Restrict MongoDB network access
- Enable authentication and access control
- Configure firewalls and security groups
- Strengthen application code security
- Prevent NoSQL injection
- Utilize cybersecurity threat intelligence search engines
- Implement attack surface management (ASM)
Conclusion
To protect MongoDB and Mongoose from being exposed to the internet, applying the latest patches, strengthening network configurations, implementing authentication, setting up firewalls, and enhancing application security are essential. Additionally, it is important to utilize cybersecurity threat intelligence search engines like Criminal IP and attack surface management solutions like Criminal IP ASM for continuous attack surface monitoring and automated detection.
If MongoDB’s security settings are inadequate, the risk of data leakage and server takeover increases, making it essential to thoroughly apply the security measures outlined earlier.
In relation to this, you can refer to Oracle WebLogic Server Vulnerability CVE-2020-2883: A 5-Year Threat to Server Control.
Source: Criminal IP (https://www.criminalip.io), SC Media (https://www.scworld.com/news/mongoose-odm-critical-rce-flaws-detailed-poc-exploits-revealed), Security Week (https://www.securityweek.com/vulnerabilities-in-mongodb-library-allow-rce-on-node-js-servers/), OPSWAT Blog (https://www.opswat.com/blog/technical-discovery-mongoose-cve-2025-23061-cve-2024-53900)
Related article :