CVE-2025-1692 – mongosh

Package

Manager: npm
Name: mongosh
Vulnerable Version: >=0 <2.3.9

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00022 pctl0.0435

Details

MongoDB Shell may be susceptible to control character injection via pasting The MongoDB Shell may be susceptible to control character injection where an attacker with control of the user’s clipboard could manipulate them to paste text into mongosh that evaluates arbitrary code. Control characters in the pasted text can be used to obfuscate malicious code. This issue affects mongosh versions prior to 2.3.9.

Metadata

Created: 2025-02-27T15:31:51Z
Modified: 2025-02-27T17:15:53Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-973h-3x6p-qg37/GHSA-973h-3x6p-qg37.json
CWE IDs: ["CWE-150"]
Alternative ID: GHSA-973h-3x6p-qg37
Finding: F111
Auto approve: 1