CVE-2025-1691

Severity CVSS v4.0:

Pending analysis

Type:

CWE-74 Injection

Publication date:

27/02/2025

Last modified:

27/02/2025

Description

The MongoDB Shell may be susceptible to control character injection where an attacker with control of the mongosh autocomplete feature, can use the autocompletion feature to input and run obfuscated malicious text. This requires user interaction in the form of the user using ‘tab’ to autocomplete text that is a prefix of the attacker’s prepared autocompletion. This issue affects mongosh versions prior to 2.3.9. The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.60 HIGH
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): High
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x

7.60

Severity 3.x

HIGH

References to Advisories, Solutions, and Tools

https://jira.mongodb.org/browse/MONGOSH-2024