Description
The MongoDB Shell may be susceptible to control character injection where an attacker with control of the user’s clipboard could manipulate them to paste text into mongosh that evaluates arbitrary code. Control characters in the pasted text can be used to obfuscate malicious code. This issue affects mongosh versions prior to 2.3.9
CVSS Metrics
- Vector
- CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
- Attack Vector
- local
- Complexity
- high
- Privileges
- high
- User Action
- required
- Scope
- unchanged
- Confidentiality
- high
- Integrity
- high
- Availability
- high
- Weaknesses
- CWE-150
Metadata
- Primary Vendor
- MONGODB
- Published
- 2/27/2025
- Last Modified
- 9/22/2025
- Source
- NIST NVD
- Note: Verify all details with official vendor sources before applying patches.
Affected Products
mongodb : mongosh
AI-Powered Remediation
Generate remediation guidance or a C-suite brief for this vulnerability.