Skip to content

mongoose-5.13.23.tgz: 2 vulnerabilities (highest severity is: 9.1) #1858

New issue
New issue
Open
Open
mongoose-5.13.23.tgz: 2 vulnerabilities (highest severity is: 9.1)#1858
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mendno-issue-activity
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on Feb 10, 2025
Vulnerable Library - mongoose-5.13.23.tgz

Mongoose MongoDB ODM

Library home page: https://registry.npmjs.org/mongoose/-/mongoose-5.13.23.tgz

Path to dependency file: /blockchain_integration/pi_network/onramp-pi/package.json

Path to vulnerable library: /blockchain_integration/pi_network/onramp-pi/node_modules/mongoose/package.json,/blockchain_integration/pi_network/PiSure/server/node_modules/mongoose/package.json,/ai-financial-advisor/node_modules/mongoose/package.json,/pi-nexus-api/node_modules/mongoose/package.json,/blockchain_integration/pi_network/PiRide/node_modules/mongoose/package.json,/server/node_modules/mongoose/package.json,/projects/Nexarion/node_modules/mongoose/package.json,/sidra_chain_integration/advanced-features/blockchain-based-identity-verification/backend/node_modules/mongoose/package.json

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (mongoose version) Remediation Possible**
CVE-2024-53900 Critical 9.1 mongoose-5.13.23.tgz Direct mongoose - 6.13.5,7.8.3,8.8.3
CVE-2025-2306 Medium 5.9 mongoose-5.13.23.tgz Direct mongoose -6.13.6,7.8.4,8.9.5

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-53900

Vulnerable Library - mongoose-5.13.23.tgz

Mongoose MongoDB ODM

Library home page: https://registry.npmjs.org/mongoose/-/mongoose-5.13.23.tgz

Path to dependency file: /blockchain_integration/pi_network/onramp-pi/package.json

Path to vulnerable library: /blockchain_integration/pi_network/onramp-pi/node_modules/mongoose/package.json,/blockchain_integration/pi_network/PiSure/server/node_modules/mongoose/package.json,/ai-financial-advisor/node_modules/mongoose/package.json,/pi-nexus-api/node_modules/mongoose/package.json,/blockchain_integration/pi_network/PiRide/node_modules/mongoose/package.json,/server/node_modules/mongoose/package.json,/projects/Nexarion/node_modules/mongoose/package.json,/sidra_chain_integration/advanced-features/blockchain-based-identity-verification/backend/node_modules/mongoose/package.json

Dependency Hierarchy:

  • mongoose-5.13.23.tgz (Vulnerable Library)

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Found in base branch: main

Vulnerability Details

Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.

Publish Date: 2024-12-02

URL: CVE-2024-53900

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-53900

Release Date: 2024-12-02

Fix Resolution: mongoose - 6.13.5,7.8.3,8.8.3

Step up your Open Source Security Game with Mend here

CVE-2025-2306

Vulnerable Library - mongoose-5.13.23.tgz

Mongoose MongoDB ODM

Library home page: https://registry.npmjs.org/mongoose/-/mongoose-5.13.23.tgz

Path to dependency file: /blockchain_integration/pi_network/onramp-pi/package.json

Path to vulnerable library: /blockchain_integration/pi_network/onramp-pi/node_modules/mongoose/package.json,/blockchain_integration/pi_network/PiSure/server/node_modules/mongoose/package.json,/ai-financial-advisor/node_modules/mongoose/package.json,/pi-nexus-api/node_modules/mongoose/package.json,/blockchain_integration/pi_network/PiRide/node_modules/mongoose/package.json,/server/node_modules/mongoose/package.json,/projects/Nexarion/node_modules/mongoose/package.json,/sidra_chain_integration/advanced-features/blockchain-based-identity-verification/backend/node_modules/mongoose/package.json

Dependency Hierarchy:

  • mongoose-5.13.23.tgz (Vulnerable Library)

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Found in base branch: main

Vulnerability Details

Mongoose versions before 8.9.5 Exposed to Search Injection

Publish Date: 2025-05-16

URL: CVE-2025-2306

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://securityonline.info/cve-2025-2306-cvss-9-0-mongoose-flaw-leaves-millions-of-downloads-exposed-to-search-injection/

Release Date: 2025-01-18

Fix Resolution: mongoose -6.13.6,7.8.4,8.9.5

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mendno-issue-activity

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions