MongoDB Shell may be susceptible to control character Injection via shell output

Description

The MongoDB Shell may be susceptible to control character injection where an attacker with control over the database cluster contents can inject control characters into the shell output. This may result in the display of falsified messages that appear to originate from mongosh or the underlying operating system, potentially misleading users into executing unsafe actions.

The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.

This issue affects mongosh versions prior to 2.3.9.

Basic information

Type
reviewed
Severity
low
Advisory on GitHub
Open advisory ↗
Repository advisory
Source code
Browse source ↗
Published (advisory)
2025-02-27 15:31:51 UTC
Updated
2025-02-27 17:16:10 UTC
GitHub reviewed
2025-02-27 17:16:09 UTC
NVD published
2025-02-27

EPSS Score

Score Percentile
0.11% 29.71%

CVSS Scores

Base score Version Severity Vector
3.9 3.1
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:H)
They need powerful rights—admin, root, or similar—before this pays off.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L)
Some sensitive info could get out, but not a total data dump.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:L)
Might cause slowdowns, glitches, or partial disruption—not a full brick.

Identifiers

CWEs

CWE id Name
CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
npm mongosh < 2.3.9 2.3.9

References

cvelogic Threat Intelligence