Description
mongosh may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user’s system with elevated privilege, when a crafted file is stored in C:\node_modules. This issue affects mongosh prior to 2.3.0.
Recommendation
Update the mongosh package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.3.0
- Patched version(s): 2.3.0
References
- GHSA-f5w3-73h4-jpcm
- access.redhat.com
- jira.mongodb.org
- CVE-2025-1756
- CWE-426
- CAPEC-310
- OWASP 2021-A6
- OWASP 2021-A8
Related Issues
- Cube Core is vulnerable to privilege escalation via a specially crafted request - CVE-2026-25958
- BrowserStack Local vulnerable to Command Injection through logfile variable - CVE-2025-57283
- MongoDB Shell may be susceptible to control character injection via pasting - CVE-2025-1692
- Quill is vulnerable to XSS via HTML export feature - CVE-2025-15056
You might also like:
- Tags:
- npm
- mongosh
Anything's wrong? Let us know Last updated on February 27, 2025