MongoDB Shell may be susceptible to control character Injection via shell output

Description

The MongoDB Shell may be susceptible to control character injection where an attacker with control over the database cluster contents can inject control characters into the shell output.

Recommendation

Update the mongosh package to the latest compatible version. Followings are version details:

• Affected version(s): < 2.3.9
• Patched version(s): 2.3.9

References

• GHSA-r95j-4jvf-mrrw
• jira.mongodb.org
• CVE-2025-1693
• CWE-150
• CAPEC-310
• OWASP 2021-A6

Related Issues

• MongoDB Shell may be susceptible to Control Character Injection via autocomplete - CVE-2025-1691
• MongoDB Shell may be susceptible to control character injection via pasting - CVE-2025-1692
• Feathers has a NoSQL Injection via WebSocket id Parameter in MongoDB Adapter - CVE-2026-29793
• Command Injection via Unsanitized `locate` Output in `versions()` — systeminformation - CVE-2026-26318

You might also like:

How do hackers hack websites?

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:

npm

mongosh