Control Character Injection Vulnerability in MongoDB Shell by MongoDB
CVE-2025-1691

7.6HIGH

Key Information:

Vendor
MongoDB
Status
Vendor
CVE Published:
27 February 2025

Summary

The MongoDB Shell presents a control character injection vulnerability that allows an attacker to manipulate the autocompletion feature. If a user unwittingly engages the autocomplete function by pressing 'tab', they can execute previously obfuscated malicious commands. This exploitation is contingent on the MongoDB Shell being connected to a cluster that the attacker controls, either partially or fully. Versions of mongosh prior to 2.3.9 are particularly susceptible to this vulnerability.

Affected Version(s)

mongosh 0 < 2.3.9

References

CVSS V3.1

Score:
7.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.