CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-1692: MongoDB Shell may be susceptible to control character injection via pasting

6.3 CVSS

Description

The MongoDB Shell may be susceptible to control character injection where an attacker with control of the user’s clipboard could manipulate them to paste text into mongosh that evaluates arbitrary code. Control characters in the pasted text can be used to obfuscate malicious code. This issue affects mongosh versions prior to 2.3.9

Classification

CVE ID: CVE-2025-1692

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.3

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

Problem Types

CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences

Affected Products

Vendor: MongoDB Inc

Product: mongosh

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.01% (probability of being exploited)

EPSS Percentile: 1.12% (scored less or equal to compared to others)

EPSS Date: 2025-03-28 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-1692
https://jira.mongodb.org/browse/MONGOSH-2025

Timeline

2025-02-27 13:40:18 UTC
CVE

MongoDB Shell may be susceptible to control character injection via pasting
2025-02-27 18:15:25 UTC
Github Advisory Database (NPM)

[mongosh] MongoDB Shell may be susceptible to control character injection via pasting