CVE-2025-1691

CWE-744 documents4 sources
Severity
6.5MEDIUM
EPSS
0.3%
top 50.83%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mongodb INC MongoshMongodb Mongosh
Timeline
PublishedFeb 27

Description

The MongoDB Shell may be susceptible to control character injection where an attacker with control of the mongosh autocomplete feature, can use the autocompletion feature to input and run obfuscated malicious text. This requires user interaction in the form of the user using ‘tab’ to autocomplete text that is a prefix of the attacker’s prepared autocompletion. This issue affects mongosh versions prior to 2.3.9. The vulnerability is exploitable only when mongosh is connected to a cluster that i

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:HExploitability: 1.0 | Impact: 6.0

Affected Packages3 packages

NVDmongodb/mongosh< 2.3.9
CVEListV5mongodb_inc/mongosh< 2.3.9
npmmongosh< 2.3.9

🔴Vulnerability Details

3
GHSA
MongoDB Shell may be susceptible to Control Character Injection via autocomplete2025-02-27
OSV
MongoDB Shell may be susceptible to Control Character Injection via autocomplete2025-02-27
CVEList
MongoDB Shell may be susceptible to Control Character Injection via autocomplete2025-02-27