## https://sploitus.com/exploit?id=8998C96E-4ACA-5469-AEBD-CCDA66BA08B6
# CVE-2025-23061 - Mongoose Command Injection
A proof of concept for the Command Injection vulnerability in Mongoose = 7.0.0 = 8.0.0 = 14
- MongoDB running locally or accessible via connection string
### Installation
```bash
# Install dependencies
npm install
# Optional: Use specific MongoDB URI
export MONGODB_URI="mongodb://localhost:27017/mongoose_cve_poc"
```
### Run the Vulnerable Server
```bash
npm start
```
The server will start on `http://localhost:3000`
### Run the Exploit
In another terminal:
```bash
node exploit.js
```
## References
- [GitHub Commit (Fix)](https://github.com/Automattic/mongoose/commit/64a9f9706f2428c49e0cfb8e223065acc645f7bc)
- [Mongoose Release 8.9.5](https://github.com/Automattic/mongoose/releases/tag/8.9.5)
- [NVD CVE-2025-23061](https://nvd.nist.gov/vuln/detail/CVE-2025-23061)
- [Nuclei Template](https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-23061.yaml)
- [Mongoose CVE Lab](https://github.com/NamhyeonKo/mongoose-cve-lab)
- [POC](https://www.opswat.com/blog/technical-discovery-mongoose-cve-2025-23061-cve-2024-53900)
## Disclaimer
This PoC is provided for educational purposes only. Unauthorized access to computer systems is illegal. Use this only on systems you own or have explicit permission to test.