MongoDB Shell may be susceptible to Control Character Injection via autocomplete

Vulnerability

Overview

CVE-2025-1691 is a control character injection vulnerability in the MongoDB Shell (mongosh) affecting versions prior to 2.3.9 [1][2]. The root cause is improper neutralization of special elements in the autocomplete feature (CWE-74) [3], allowing an attacker who controls the autocomplete suggestions to inject obfuscated control characters.

Exploitation

Conditions

Exploitation requires the attacker to have partial or full control of the MongoDB cluster to which mongosh is connected [2][3]. The attacker must craft a malicious autocomplete suggestion that, when the user presses the tab key to autocomplete a matching prefix, injects obfuscated text into the shell. This user interaction is essential, and the attack complexity is high, requiring privileged access to the cluster (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H, score 7.6) [3].

Impact

Successful exploitation allows the attacker to execute arbitrary obfuscated commands within the mongosh session. This can lead to unauthorized data access, data modification, or full compromise of the shell environment, with high impact on confidentiality, integrity, and availability [3].

Mitigation

The vulnerability is fixed in mongosh version 2.3.9 [1][2]. Users are strongly advised to upgrade to this version or later. No workarounds are documented; upgrading is the recommended action.