Control Character Injection Vulnerability in MongoDB Shell
CVE-2025-1693

3.9LOW

Key Information:

Vendor: MongoDB
Status: Mongosh
Vendor: CVE Published:; 27 February 2025

What is CVE-2025-1693?

The MongoDB Shell is vulnerable to control character injection, enabling an attacker who has control over the database cluster contents to inject misleading control characters into the shell output. This manipulation could lead to the display of deceptive messages that may seem to emanate from mongosh or the operating system itself. As a consequence, users could be misled into executing unsafe actions. The vulnerability is present when mongosh connects to a database cluster that is either partially or fully controlled by an attacker, thus posing a significant security risk for database operations.

Affected Version(s)

mongosh 0 < 2.3.9

References

https://jira.mongodb.org/browse/MONGOSH-2026

CVSS V3.1

Score:

3.9

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 27, 2025
Vulnerability Reserved
Feb 25, 2025