CVE-2025-1755
Published: 27 February 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-1755 is a local privilege escalation vulnerability in MongoDB Compass, stemming from CWE-426 (Untrusted Search Path). It affects MongoDB Compass versions prior to 1.42.1 and can be triggered under certain conditions when a crafted file is stored in the C:\node_modules\ directory. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H), indicating high impact potential with local access required.
A local attacker with low privileges can exploit this vulnerability through a high-complexity attack that requires user interaction. Successful exploitation enables unauthorized actions on the user's system with elevated privileges, potentially granting full control over confidentiality, integrity, and availability.
Mitigation is available via upgrade to MongoDB Compass 1.42.1 or later, as indicated by the MongoDB advisory at https://jira.mongodb.org/browse/COMPASS-9058. Red Hat has also released errata RHSA-2025:1755 addressing the issue, available at https://access.redhat.com/errata/RHSA-2025:1755.html.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CVE-2025-1755 enables local privilege escalation in MongoDB Compass via a crafted file in C:\node_modules\, directly facilitating exploitation for privilege escalation (T1068).