MongoDB Shell may be susceptible to control character injection via pasting

The MongoDB Shell (mongosh) versions prior to 2.3.9 are vulnerable to a control character injection issue (CWE-150). The root cause lies in improper neutralization of escape, meta, or control sequences when a user pastes text into the shell [2][3]. An attacker with control of the user's clipboard can embed control characters that obfuscate and inject arbitrary JavaScript code in the pasted input [1][2].

Exploitation requires the attacker to have control over the victim's clipboard content and then rely on social engineering to convince the victim to paste that content into mongosh. The attacker must overcome the local access and user interaction prerequisites, as reflected by the CVSS v3.0 vector: AV:L/AC:H/PR:H/UI:R (score 6.3) [3]. The vulnerable product is mongosh, which is a command-line interface for interacting with MongoDB deployments [1].

Successful exploitation could allow an attacker to execute arbitrary code with the privileges of the user running mongosh. This could lead to full compromise of the local system confidentiality, integrity, and availability (C:H/I:H/A:H) [3]. The impact is particularly significant if the MongoDB Shell is used in privileged or automated contexts.

MongoDB has fixed this vulnerability in mongosh version 2.3.9 and later [3]. Users are advised to update to the latest version to mitigate the risk. No workarounds are documented, and the vendor recommends upgrading as the primary remediation [1][2].