Description
MongoDB Compass may be susceptible to code injection due to insufficient sandbox protection settings with the usage of ejson shell parser in Compass’ connection handling. This issue affects MongoDB Compass versions prior to version 1.42.2.
Recommendation
Update the @mongodb-js/connection-form package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.20.1
- Patched version(s): 1.20.1
References
Related Issues
- Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution - CVE-2023-36475
- MongoDB Shell may be susceptible to Control Character Injection via autocomplete - CVE-2025-1691
- Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem - CVE-2024-23331
- MongoDB Shell may be susceptible to control character injection via pasting - CVE-2025-1692
You might also like:
- Tags:
- npm
- @mongodb-js/connection-form
Anything's wrong? Let us know Last updated on February 27, 2025


