Home > Vulnerability Database > CVE-2025-1691

Mend.io Vulnerability Database

CVE-2025-1691

Good to know:

Date: February 27, 2025

The MongoDB Shell may be susceptible to control character injection where an attacker with control of the mongosh autocomplete feature, can use the autocompletion feature to input and run obfuscated malicious text. This requires user interaction in the form of the user using ‘tab’ to autocomplete text that is a prefix of the attacker’s prepared autocompletion. This issue affects mongosh versions prior to 2.3.9. The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.

Severity Score

7.6

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-1691

Url: https://jira.mongodb.org/browse/MONGOSH-2024

Url: https://github.com/mongodb-js/mongosh

Url: https://www.mend.io/vulnerability-database/CVE-2025-1691

Severity Score

7.6

Weakness Type (CWE)

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-74

Top Fix

Upgrade Version

Upgrade to version mongosh - 2.3.9

Learn More

CVSS v3.1

Base Score:	7.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	HIGH
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-1691

Good to know:

Date: February 27, 2025

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?