Description
mongosh may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user’s system with elevated privilege, when a crafted file is stored in C:\node_modules. This issue affects mongosh prior to 2.3.0.
Recommendation
Update the mongosh package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.3.0
- Patched version(s): 2.3.0
References
- GHSA-f5w3-73h4-jpcm
- access.redhat.com
- jira.mongodb.org
- CVE-2025-1756
- CWE-426
- CAPEC-310
- OWASP 2021-A6
- OWASP 2021-A8
Related Issues
- BrowserStack Local vulnerable to Command Injection through logfile variable - CVE-2025-57283
- Astro Development Server has Arbitrary Local File Read - CVE-2025-64757
- @dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via welcome message - CVE-2025-64758
- Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass - CVE-2025-64525
- Tags:
- npm
- mongosh
Anything's wrong? Let us know Last updated on February 27, 2025