Share
## https://sploitus.com/exploit?id=8998C96E-4ACA-5469-AEBD-CCDA66BA08B6
# CVE-2025-23061 - Mongoose Command Injection

A proof of concept for the Command Injection vulnerability in Mongoose = 7.0.0 = 8.0.0 = 14
- MongoDB running locally or accessible via connection string

### Installation

```bash
# Install dependencies
npm install

# Optional: Use specific MongoDB URI
export MONGODB_URI="mongodb://localhost:27017/mongoose_cve_poc"
```

### Run the Vulnerable Server

```bash
npm start
```

The server will start on `http://localhost:3000`

### Run the Exploit

In another terminal:

```bash
node exploit.js
```

## References

- [GitHub Commit (Fix)](https://github.com/Automattic/mongoose/commit/64a9f9706f2428c49e0cfb8e223065acc645f7bc)
- [Mongoose Release 8.9.5](https://github.com/Automattic/mongoose/releases/tag/8.9.5)
- [NVD CVE-2025-23061](https://nvd.nist.gov/vuln/detail/CVE-2025-23061)
- [Nuclei Template](https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-23061.yaml)
- [Mongoose CVE Lab](https://github.com/NamhyeonKo/mongoose-cve-lab)
- [POC](https://www.opswat.com/blog/technical-discovery-mongoose-cve-2025-23061-cve-2024-53900)
## Disclaimer

This PoC is provided for educational purposes only. Unauthorized access to computer systems is illegal. Use this only on systems you own or have explicit permission to test.