Description
MongoDB Compass may be susceptible to code injection due to insufficient sandbox protection settings with the usage of ejson shell parser in Compass’ connection handling. This issue affects MongoDB Compass versions prior to version 1.42.2.
Recommendation
Update the @mongodb-js/connection-form package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.20.1
- Patched version(s): 1.20.1
References
Related Issues
- Remote code execution via MongoDB BSON parser through prototype pollution - CVE-2022-39396
- Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem - CVE-2024-23331
- KaTeX's maxExpand bypassed by `\edef` - CVE-2024-28243
- KaTeX's maxExpand bypassed by Unicode sub/superscripts - CVE-2024-28244
- Tags:
- npm
- @mongodb-js/connection-form
Anything's wrong? Let us know Last updated on February 27, 2025