CVE-2025-1691
Published: 27 February 2025
Description
The MongoDB Shell may be susceptible to control character injection where an attacker with control of the mongosh autocomplete feature, can use the autocompletion feature to input and run obfuscated malicious text. This requires user interaction in the form of the user using ‘tab’ to autocomplete text that is a prefix of the attacker’s prepared autocompletion. This issue affects mongosh versions prior to 2.3.9. The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.
Security Summary
CVE-2025-1691 is a control character injection vulnerability in the MongoDB Shell, known as mongosh. It allows an attacker with control over the mongosh autocomplete feature to inject and execute obfuscated malicious text through the autocompletion mechanism. The issue requires user interaction, specifically pressing the 'tab' key to autocomplete text that matches a prefix prepared by the attacker. This vulnerability affects mongosh versions prior to 2.3.9.
Exploitation is possible only when mongosh is connected to a MongoDB cluster that is partially or fully controlled by the attacker. The attacker needs high privileges (PR:H) on the cluster, network access (AV:N), and must overcome high attack complexity (AC:H), along with tricking the user into required interaction (UI:R). Successful exploitation can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) with a changed scope (S:C), earning a CVSS v3.1 base score of 7.6. The associated CWE is CWE-74.
Mitigation requires upgrading to mongosh version 2.3.9 or later. Additional details are available in the MongoDB advisory at https://jira.mongodb.org/browse/MONGOSH-2024.
Details
- CWE(s)