MongoDB Shell may be susceptible to control character injection via pasting

Severity:: Medium

Description

The MongoDB Shell may be susceptible to control character injection where an attacker with control of the user’s clipboard could manipulate them to paste text into mongosh that evaluates arbitrary code. Control characters in the pasted text can be used to obfuscate malicious code. This issue affects mongosh versions prior to 2.3.9.

Recommendation

Update the mongosh package to the latest compatible version. Followings are version details:

Affected version(s): < 2.3.9
Patched version(s): 2.3.9

References

GHSA-973h-3x6p-qg37
jira.mongodb.org
CVE-2025-1692
CWE-150
CAPEC-310
OWASP 2021-A6

Related Issues

MongoDB Shell may be susceptible to control character Injection via shell output - CVE-2025-1693
MongoDB Shell may be susceptible to Control Character Injection via autocomplete - CVE-2025-1691
TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update - CVE-2025-60542
tarteaucitron.js allows url scheme injection via unfiltered inputs - CVE-2025-31476

How do hackers hack websites?

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:: npm; mongosh

Anything's wrong? Let us know Last updated on February 27, 2025