CVE-2024-53900
$where operator vulnerability in mongoose (npm)
What is CVE-2024-53900 About?
This vulnerability in Mongoose involves the improper use of the $where operator, allowing for code injection via arbitrary JavaScript execution in MongoDB queries. Successful exploitation can lead to unauthorized data access or manipulation, making it a critical issue that is relatively easy to exploit given the nature of code injection.
Affected Software
- mongoose
- >8.0.0-rc0, <8.8.3
- <6.13.5
- >7.0.0-rc0, <7.8.3
Technical Details
The vulnerability stems from the MongoDB $where operator's ability to execute arbitrary JavaScript code within query contexts. In affected Mongoose versions, if user-controlled input directly influences the content of a $where clause, an attacker can inject malicious JavaScript. This injected code will then be executed by the MongoDB server, potentially bypassing application-level security controls and leading to code execution within the database context. The attack vector specifically targets the eval functionality implicit in $where queries, allowing for a direct code injection payload.
What is the Impact of CVE-2024-53900?
Successful exploitation may allow attackers to execute arbitrary code within the database context, leading to unauthorized access, modification, or deletion of sensitive data, and potentially full compromise of the database system.
What is the Exploitability of CVE-2024-53900?
Exploitation of this vulnerability is considered to be of medium complexity, primarily requiring the attacker to supply malicious input to a vulnerable MongoDB query involving the $where operator. There are no specific authentication requirements beyond having legitimate access to an application that constructs such queries. Privilege requirements depend on the context of the application's database user, but even low-privileged users could leverage this if their input is used in an $where clause. This can be exploited remotely if the vulnerable application is internet-facing and accepts user input for database queries. A key risk factor is applications that directly embed or concatenate user-supplied strings into $where clauses without proper sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| Gokul-Krishnan-V-R | Link | Mongo Vulnub Lab...Try to Hack IT.....! |
| www-spam | Link | PoC for CVE-2024-53900 |
What are the Available Fixes for CVE-2024-53900?
About the Fix from Resolved Security
The patch prevents the use of the $where filter within the match option passed to populate() in Mongoose by explicitly throwing an error if $where is detected, thereby eliminating the opportunity for arbitrary JavaScript execution. This fixes CVE-2024-53900 because the vulnerability arose from the ability to inject malicious code via $where in population queries, leading to remote code execution.
Available Upgrade Options
- mongoose
- <6.13.5 → Upgrade to 6.13.5
- mongoose
- >7.0.0-rc0, <7.8.3 → Upgrade to 7.8.3
- mongoose
- >8.0.0-rc0, <8.8.3 → Upgrade to 8.8.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/Automattic/mongoose
- https://github.com/advisories/GHSA-m7xq-9374-9rvx
- https://osv.dev/vulnerability/GHSA-m7xq-9374-9rvx
- https://github.com/Automattic/mongoose/commit/c9e86bff7eef477da75a29af62a06d41a835a156
- https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md
- https://github.com/Automattic/mongoose/compare/8.8.2...8.8.3
- https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md
- https://github.com/Automattic/mongoose/commit/c9e86bff7eef477da75a29af62a06d41a835a156
- https://nvd.nist.gov/vuln/detail/CVE-2024-53900
- https://github.com/Automattic/mongoose/commit/33679bcf8ca43d74e3e8ecd4cc224826772d805b
What are Similar Vulnerabilities to CVE-2024-53900?
Similar Vulnerabilities: CVE-2012-6634 , CVE-2013-4660 , CVE-2013-6858 , CVE-2015-0205 , CVE-2017-0097
