GHSA-43g5-2wr2-q7vj: MongoDB Shell may be susceptible to Control Character Injection via autocomplete

Skip to content

Navigation Menu

• • GitHub Copilot

    Write better code with AI

  • Security

    Find and fix vulnerabilities

  • Actions

    Automate any workflow

  • Codespaces

    Instant dev environments

  • Issues

    Plan and track work

  • Code Review

    Manage code changes

  • Discussions

    Collaborate outside of code

  • Code Search

    Find more, search less

• Explore

  • Learning Pathways
  • Events & Webinars
  • Ebooks & Whitepapers
  • Customer Stories
  • Partners
  • Executive Insights

• • GitHub Sponsors

    Fund open source developers

*   The ReadME Project
    
    GitHub community articles

• • Enterprise platform

    AI-powered developer platform

• Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2025-1691

MongoDB Shell may be susceptible to Control Character Injection via autocomplete

High severity GitHub Reviewed Published Feb 27, 2025 to the GitHub Advisory Database • Updated Feb 27, 2025

Package

npm mongosh (npm)

Affected versions

< 2.3.9

Description

The MongoDB Shell may be susceptible to control character injection where an attacker with control of the mongosh autocomplete feature, can use the autocompletion feature to input and run obfuscated malicious text. This requires user interaction in the form of the user using ‘tab’ to autocomplete text that is a prefix of the attacker’s prepared autocompletion. This issue affects mongosh versions prior to 2.3.9.

The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-1691
• https://jira.mongodb.org/browse/MONGOSH-2024

Published to the GitHub Advisory Database

Feb 27, 2025

Last updated

Feb 27, 2025

EPSS score