CVE-2025-1692
Published: 27 February 2025
Description
The MongoDB Shell may be susceptible to control character injection where an attacker with control of the user’s clipboard could manipulate them to paste text into mongosh that evaluates arbitrary code. Control characters in the pasted text can be used to obfuscate malicious code. This issue affects mongosh versions prior to 2.3.9
Security Summary
CVE-2025-1692 is a control character injection vulnerability in the MongoDB Shell, specifically affecting mongosh versions prior to 2.3.9. The flaw enables an attacker with control of the user's clipboard to manipulate them into pasting obfuscated text that evaluates arbitrary code. Control characters in the pasted content bypass normal input handling, leading to code execution within the shell.
Exploitation requires local access, high attack complexity, elevated privileges, and user interaction, as indicated by the CVSS 3.1 vector AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H (score 6.3). An attacker must first compromise the clipboard—such as through a malicious application or social engineering—and trick a privileged user into pasting the content into mongosh. Successful exploitation grants arbitrary code execution with high impacts on confidentiality, integrity, and availability.
The vulnerability is documented in MongoDB's JIRA ticket at https://jira.mongodb.org/browse/MONGOSH-2025 and is associated with CWE-150 (Improper Neutralization of Control Characters). Mitigation involves upgrading to mongosh version 2.3.9 or later, which addresses the control character handling issue.
Details
- CWE(s)