MongoDBRules
no-unsafe-populate
Detects user-controlled `populate()` paths that could lead to data exposure or injection.
Keywords: CWE-943, populate, Mongoose, injection, CVE-2025-23061, security
Detects user-controlled populate() paths that could lead to data exposure or injection.
⚠️ This rule errors by default in the recommended config.
Quick Summary
| Aspect | Details |
|---|---|
| CWE Reference | CWE-943 (NoSQL Injection) |
| CVE | CVE-2025-23061 (Mongoose populate injection) |
| OWASP | A03:2021 - Injection |
| Severity | Medium (CVSS: 6.5) |
| Category | Security |
Rule Details
User-controlled populate() paths can:
- Expose sensitive related documents
- Cause performance issues (deep population)
- Enable injection attacks (CVE-2025-23061)
❌ Incorrect
// User controls which relations to load
User.findById(id).populate(req.query.include);
// Object population with user input
User.findById(id).populate({
path: req.body.path,
select: req.body.fields,
});✅ Correct
// Hardcoded populate paths
User.findById(id).populate('posts comments');
// Allowlist user selection
const ALLOWED_INCLUDES = ['posts', 'profile'];
const include = ALLOWED_INCLUDES.includes(req.query.include)
? req.query.include
: undefined;
User.findById(id).populate(include);
// Explicit populate configuration
User.findById(id).populate({
path: 'posts',
select: 'title createdAt',
options: { limit: 10 },
});Known False Negatives
Spread Operator
// ❌ NOT DETECTED
User.findById(id).populate(req.body.populateOptions);When Not To Use It
- When populate paths are strictly validated against an allowlist