High severityNVD Advisory· Published Jul 1, 2024· Updated Aug 1, 2024

ejson shell parser in MongoDB Compass maybe bypassed

CVE-2024-6376

Description

MongoDB Compass may be susceptible to code injection due to insufficient sandbox protection settings with the usage of ejson shell parser in Compass' connection handling. This issue affects MongoDB Compass versions prior to version 1.42.2

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@mongodb-js/connection-formnpm	< 1.20.1	1.20.1

Affected products

MongoDB Inc/MongoDB Compassv5
cpe:2.3:a:mongodb:compass:1.0:*:*:*:*:*:*:*
Range: 0
ghsa-coords
pkg:npm/%40mongodb-js/connection-form
Range: < 1.20.1

Patches

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-jxr4-4prv-mh83ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-6376ghsaADVISORY
github.com/mongodb-js/compass/commit/b1f8050d49d66be3bc499cb317a1e1de45390e51ghsaWEB
jira.mongodb.org/browse/COMPASS-7496ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000