CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-1691: MongoDB Shell may be susceptible to Control Character Injection via autocomplete

7.6 CVSS

Description

The MongoDB Shell may be susceptible to control character injection where an attacker with control of the mongosh autocomplete feature, can use the autocompletion feature to input and run obfuscated malicious text. This requires user interaction in the form of the user using ‘tab’ to autocomplete text that is a prefix of the attacker’s prepared autocompletion. This issue affects mongosh versions prior to 2.3.9.

The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.

Classification

CVE ID: CVE-2025-1691

CVSS Base Severity: HIGH

CVSS Base Score: 7.6

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

Problem Types

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Affected Products

Vendor: MongoDB Inc

Product: mongosh

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 10.92% (scored less or equal to compared to others)

EPSS Date: 2025-03-28 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-1691
https://jira.mongodb.org/browse/MONGOSH-2024

Timeline

2025-02-27 13:40:18 UTC
CVE

MongoDB Shell may be susceptible to Control Character Injection via autocomplete
2025-02-27 18:15:25 UTC
Github Advisory Database (NPM)

[mongosh] MongoDB Shell may be susceptible to Control Character Injection via autocomplete