CVE-2024-53900
$where operator vulnerability in mongoose
What is CVE-2024-53900 About?
This vulnerability in Mongoose involves the improper use of the $where operator, allowing for code injection via arbitrary JavaScript execution in MongoDB queries. Successful exploitation can lead to unauthorized data access or manipulation, making it a critical issue that is relatively easy to exploit given the nature of code injection.
Affected Software
- mongoose
- >8.0.0-rc0, <8.8.3
- <6.13.5
- >7.0.0-rc0, <7.8.3
Technical Details
The vulnerability stems from the MongoDB $where operator's ability to execute arbitrary JavaScript code within query contexts. In affected Mongoose versions, if user-controlled input directly influences the content of a $where clause, an attacker can inject malicious JavaScript. This injected code will then be executed by the MongoDB server, potentially bypassing application-level security controls and leading to code execution within the database context. The attack vector specifically targets the `eval` functionality implicit in `$where` queries, allowing for a direct code injection payload.
What is the Impact of CVE-2024-53900?
Successful exploitation may allow attackers to execute arbitrary code within the database context, leading to unauthorized access, modification, or deletion of sensitive data, and potentially full compromise of the database system.
What is the Exploitability of CVE-2024-53900?
Exploitation of this vulnerability is considered to be of medium complexity, primarily requiring the attacker to supply malicious input to a vulnerable MongoDB query involving the `$where` operator. There are no specific authentication requirements beyond having legitimate access to an application that constructs such queries. Privilege requirements depend on the context of the application's database user, but even low-privileged users could leverage this if their input is used in an `$where` clause. This can be exploited remotely if the vulnerable application is internet-facing and accepts user input for database queries. A key risk factor is applications that directly embed or concatenate user-supplied strings into `$where` clauses without proper sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| Gokul-Krishnan-V-R | Link | Mongo Vulnub Lab...Try to Hack IT.....! |
| www-spam | Link | PoC for CVE-2024-53900 |
What are the Available Fixes for CVE-2024-53900?
About the Fix from Resolved Security
The patch prevents use of the $where operator in match conditions for Mongoose’s .populate() by recursively checking for and throwing an error if $where is present. This fixes CVE-2024-53900 by blocking injection of arbitrary JavaScript code via $where, which could otherwise allow attackers to execute malicious code on the MongoDB server during population.
Available Upgrade Options
- mongoose
- <6.13.5 → Upgrade to 6.13.5
- mongoose
- >7.0.0-rc0, <7.8.3 → Upgrade to 7.8.3
- mongoose
- >8.0.0-rc0, <8.8.3 → Upgrade to 8.8.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/Automattic/mongoose
- https://github.com/advisories/GHSA-m7xq-9374-9rvx
- https://osv.dev/vulnerability/GHSA-m7xq-9374-9rvx
- https://github.com/Automattic/mongoose/commit/c9e86bff7eef477da75a29af62a06d41a835a156
- https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md
- https://github.com/Automattic/mongoose/compare/8.8.2...8.8.3
- https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md
- https://github.com/Automattic/mongoose/commit/c9e86bff7eef477da75a29af62a06d41a835a156
- https://nvd.nist.gov/vuln/detail/CVE-2024-53900
- https://github.com/Automattic/mongoose/commit/33679bcf8ca43d74e3e8ecd4cc224826772d805b
What are Similar Vulnerabilities to CVE-2024-53900?
Similar Vulnerabilities: CVE-2012-6634 , CVE-2013-4660 , CVE-2013-6858 , CVE-2015-0205 , CVE-2017-0097
