From 1baf4d1b383bb563689530906834bd058c5c1510 Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Thu, 5 Feb 2026 09:35:26 -0800 Subject: [PATCH] Improve GHSA-vg7j-7cwx-8wgw --- .../2025/01/GHSA-vg7j-7cwx-8wgw/GHSA-vg7j-7cwx-8wgw.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/advisories/github-reviewed/2025/01/GHSA-vg7j-7cwx-8wgw/GHSA-vg7j-7cwx-8wgw.json b/advisories/github-reviewed/2025/01/GHSA-vg7j-7cwx-8wgw/GHSA-vg7j-7cwx-8wgw.json index 4ab2bbd67adca..d9d16a38ec9fb 100644 --- a/advisories/github-reviewed/2025/01/GHSA-vg7j-7cwx-8wgw/GHSA-vg7j-7cwx-8wgw.json +++ b/advisories/github-reviewed/2025/01/GHSA-vg7j-7cwx-8wgw/GHSA-vg7j-7cwx-8wgw.json @@ -1,13 +1,13 @@ { "schema_version": "1.4.0", "id": "GHSA-vg7j-7cwx-8wgw", - "modified": "2025-10-03T15:40:22Z", + "modified": "2025-01-17T18:02:41Z", "published": "2025-01-15T06:30:49Z", "aliases": [ "CVE-2025-23061" ], "summary": "Mongoose search injection vulnerability", - "details": "Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the `$where` operator. This vulnerability arises from the ability of the `$where` clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.\n\nNOTE: this issue exists because of an incomplete fix for CVE-2024-53900.", + "details": "Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the `$where` operator. This vulnerability arises from the ability of the `$where` clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.\n\nNOTE: this issue exists because of an incomplete fix for [CVE-2024-53900](https://github.com/advisories/GHSA-m7xq-9374-9rvx).", "severity": [ { "type": "CVSS_V3", @@ -63,7 +63,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "3.8.0" }, { "fixed": "6.13.6"