Description

The MongoDB Shell may be susceptible to control character injection where an attacker with control of the mongosh autocomplete feature, can use the autocompletion feature to input and run obfuscated malicious text. This requires user interaction in the form of the user using ‘tab’ to autocomplete text that is a prefix of the attacker’s prepared autocompletion. This issue affects mongosh versions prior to 2.3.9.  The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.

INFO

Published Date :

2025-02-27T12:34:02.752Z

Last Modified :

2025-02-27T15:18:23.418Z

Source :

mongodb
AFFECTED PRODUCTS

The following products are affected by CVE-2025-1691 vulnerability.

Vendors Products
Mongodb
  • Mongosh
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-1691.

URL Resource
https://jira.mongodb.org/browse/MONGOSH-2024 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact