Description
MongoDB Compass may be susceptible to code injection due to insufficient sandbox protection settings with the usage of ejson shell parser in Compass’ connection handling. This issue affects MongoDB Compass versions prior to version 1.42.2.
Recommendation
Update the @mongodb-js/connection-form package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.20.1
- Patched version(s): 1.20.1
References
Related Issues
- Prototype Pollution in lodash (GHSA-jf85-cpcp-j695) - CVE-2019-10744
- jquery-validation vulnerable to Cross-site Scripting - CVE-2025-3573
- @mozilla/readability Denial of Service through Regex - CVE-2025-2792
- Slim Select has potential Cross-site Scripting issue - CVE-2024-9440
- Tags:
- npm
- @mongodb-js/connection-form
Anything's wrong? Let us know Last updated on February 27, 2025