CVE-2025-1691 HIGH

CVE-2025-1691: MongoDB Shell may be susceptible to Control Character Injection via autocomplete

Vendor Mongodb Inc
Product mongosh
Weakness CWE-74
Published February 27, 2025
Last update February 27, 2025

CVSS base score

7.6/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

The MongoDB Shell may be susceptible to control character injection where an attacker with control of the mongosh autocomplete feature, can use the autocompletion feature to input and run obfuscated malicious text. This requires user interaction in the form of the user using ‘tab’ to autocomplete text that is a prefix of the attacker’s prepared autocompletion. This issue affects mongosh versions prior to 2.3.9.  The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.

Key dates

02Disclosure timeline

February 27, 2025 CVE published
February 27, 2025 Record updated

Related vulnerabilities

04Related CVE