MongoDB Shell may be susceptible to Control Character Injection via autocomplete

Description

The MongoDB Shell may be susceptible to control character injection where an attacker with control of the mongosh autocomplete feature, can use the autocompletion feature to input and run obfuscated malicious text.

Recommendation

Update the mongosh package to the latest compatible version. Followings are version details:

• Affected version(s): < 2.3.9
• Patched version(s): 2.3.9

References

• GHSA-43g5-2wr2-q7vj
• jira.mongodb.org
• CVE-2025-1691
• CWE-74
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• MongoDB Shell may be susceptible to control character Injection via shell output - CVE-2025-1693
• MongoDB Shell may be susceptible to control character injection via pasting - CVE-2025-1692
• @siteboon/claude-code-ui Vulnerable to Unauthenticated RCE via WebSocket Shell Injection - CVE-2026-31975
• tarteaucitron.js allows UI manipulation via unrestricted CSS injection - CVE-2025-31138

You might also like:

How do hackers hack websites?

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:

npm

mongosh