MongoDB Shell may be susceptible to control character Injection via shell output

Vulnerability

Details

The MongoDB Shell (mongosh) is susceptible to a control character injection vulnerability (CWE-150) where an attacker with control over the database cluster contents can inject control characters into the shell output [1][2][3]. This occurs because mongosh does not properly neutralize escape, meta, or control sequences when displaying data retrieved from the cluster, allowing arbitrary control characters to be embedded in the output stream.

Exploitation

Exploitation requires the attacker to have partial or full control over the database cluster to which mongosh is connected [2][3]. The attacker can then embed control characters in database documents or responses that mongosh renders. The user must be actively using mongosh to query the attacker-controlled cluster, and the attack relies on user interaction (e.g., reading the falsified output) to be effective. The CVSS vector (AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L) reflects these constraints, resulting in a base score of 3.9 [3].

Impact

Successful exploitation allows the attacker to display falsified messages that appear to originate from mongosh or the underlying operating system [1][2]. This can mislead users into executing unsafe actions, such as running malicious commands or revealing sensitive information, based on the deceptive output. The impact is limited to low confidentiality, integrity, and availability compromise.

Mitigation

The vulnerability is fixed in mongosh version 2.3.9 [1][2][3]. Users are advised to upgrade to this version or later. No workarounds are documented; the only mitigation is to avoid connecting mongosh to untrusted or attacker-controlled clusters until the update is applied.