Primary

Context

MongoDB Shell Control Character Injection Vulnerability via Autocomplete

Vulnerability

A control character injection vulnerability has been identified in the MongoDB Shell (mongosh) versions prior to 2.3.9. This issue allows an attacker to manipulate the autocomplete feature to inject and execute obfuscated malicious text. Exploitation requires user interaction, specifically the use of the 'tab' key to autocomplete text that matches the prefix of the attacker's prepared autocompletion. The vulnerability can only be exploited when mongosh is connected to a cluster that is partially or fully controlled by the attacker.

Impact

Exploitation of this vulnerability could lead to the execution of injected malicious text, potentially allowing for further exploitation or manipulation within the MongoDB environment.

Remediation

Users can upgrade to MongoDB Shell version 2.3.9 or later to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

4.5

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

4.5

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

MongoDB Shell Control Character Injection Vulnerability via Autocomplete

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating