CVE-2025-1691

Name of the Vulnerable Software and Affected Versions mongosh versions prior to 2.3.9

Description The MongoDB Shell may be susceptible to control character injection where an attacker with control of the mongosh autocomplete feature can use the autocompletion feature to input and run obfuscated malicious text. This requires user interaction in the form of the user using ‘tab’ to autocomplete text that is a prefix of the attacker’s prepared autocompletion. The issue is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.

Recommendations For versions prior to 2.3.9, update to version 2.3.9 or later to resolve the issue. As a temporary workaround, consider disabling the autocompletion feature in mongosh to minimize the risk of exploitation. Restrict access to clusters that are partially or fully controlled by an attacker to prevent potential exploitation.