CVE-2025-1692Improper Neutralization of Escape, Meta, or Control Sequences in INC Mongosh

CWE-150Improper Neutralization of Escape, Meta, or Control Sequences4 documents4 sources
Severity
8.8HIGHNVD
CNA6.3
EPSS
0.1%
top 65.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mongodb INC MongoshMongodb Mongosh
Timeline
PublishedFeb 27

Description

The MongoDB Shell may be susceptible to control character injection where an attacker with control of the user’s clipboard could manipulate them to paste text into mongosh that evaluates arbitrary code. Control characters in the pasted text can be used to obfuscate malicious code. This issue affects mongosh versions prior to 2.3.9

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

NVDmongodb/mongosh< 2.3.9
CVEListV5mongodb_inc/mongosh< 2.3.9

🔴Vulnerability Details

3
GHSA
MongoDB Shell may be susceptible to control character injection via pasting2025-02-27
OSV
MongoDB Shell may be susceptible to control character injection via pasting2025-02-27
CVEList
MongoDB Shell may be susceptible to control character injection via pasting2025-02-27
CVE-2025-1692 — Mongodb INC Mongosh vulnerability | cvebase