MongoDB Shell may be susceptible to Control Character Injection via autocomplete

Severity:: High

Description

The MongoDB Shell may be susceptible to control character injection where an attacker with control of the mongosh autocomplete feature, can use the autocompletion feature to input and run obfuscated malicious text.

Recommendation

Update the mongosh package to the latest compatible version. Followings are version details:

Affected version(s): < 2.3.9
Patched version(s): 2.3.9

References

GHSA-43g5-2wr2-q7vj
jira.mongodb.org
CVE-2025-1691
CWE-74
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

MongoDB Shell may be susceptible to control character Injection via shell output - CVE-2025-1693
Vue I18n Allows Prototype Pollution in `handleFlatJson` (GHSA-p2ph-7g93-hw3m) 5 - CVE-2025-27597
Vue I18n Allows Prototype Pollution in `handleFlatJson` (GHSA-p2ph-7g93-hw3m) 4 - CVE-2025-27597
Vue I18n Allows Prototype Pollution in `handleFlatJson` (GHSA-p2ph-7g93-hw3m) 3 - CVE-2025-27597

Tags:: npm; mongosh

Anything's wrong? Let us know Last updated on February 27, 2025