MongoDB Shell may be susceptible to local privilege escalation in Windows

Vulnerability

Description Mongosh, the MongoDB shell, is vulnerable to local privilege escalation on Windows systems due to an untrusted search path issue (CWE-426). When mongosh loads modules, it searches the C:\node_modules\ directory before safer system paths. If an attacker places a crafted file in that location, it can be executed in the context of the user running mongosh, potentially with elevated privileges. This issue affects mongosh versions prior to 2.3.0 [2][3][4].

Exploitation

Conditions Exploitation requires a local attacker with the ability to write to C:\node_modules\ (typically requires low privileges) and social engineering to convince a user to run mongosh or a script that triggers module loading. The CVSS vector (AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H) indicates high complexity and user interaction is required [4]. The vulnerability is Windows-specific.

Impact

Successful exploitation allows an attacker to execute arbitrary code with the privileges of the victim, potentially escalating to SYSTEM if mongosh is launched with elevated rights. This compromises confidentiality, integrity, and availability of the system.

Mitigation

The vulnerability is fixed in mongosh version 2.3.0. Users should upgrade to this version or later. No workarounds are documented [4].