Plugin: mongodb-securityRules
no-unsafe-populate
Detects user-controlled populate() paths that could lead to data exposure or injection.
Keywords: CWE-943, populate, Mongoose, injection, CVE-2025-23061, security
Detects user-controlled populate() paths that could lead to data exposure or injection.
⚠️ This rule errors by default in the recommended config.
Quick Summary
| Aspect | Details |
|---|---|
| CWE Reference | CWE-943 (NoSQL Injection) |
| CVE | CVE-2025-23061 (Mongoose populate injection) |
| OWASP | A03:2021 - Injection |
| Severity | Medium (CVSS: 6.5) |
| Category | Security |
Rule Details
User-controlled populate() paths can:
- Expose sensitive related documents
- Cause performance issues (deep population)
- Enable injection attacks (CVE-2025-23061)
❌ Incorrect
// User controls which relations to load
User.findById(id).populate(req.query.include);
// Object population with user input
User.findById(id).populate({
path: req.body.path,
select: req.body.fields,
});✅ Correct
const x = 1;Known False Negatives
Spread Operator
// ❌ NOT DETECTED
User.findById(id).populate(req.body.populateOptions);When Not To Use It
- When populate paths are strictly validated against an allowlist