SB2025022816 - Multiple vulnerabilities in MongoDB Shell

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: CVE-2025-1691)

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to control character injection via autocomplete feature. A remote administrator can input and run obfuscated malicious text to execute arbitrary code on the system.

2) Improper Neutralization of Escape, Meta, or Control Sequences (CVE-ID: CVE-2025-1693)

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to control character injection via shell output. A remote administrator can execute arbitrary code on the target system.

3) Improper Neutralization of Escape, Meta, or Control Sequences (CVE-ID: CVE-2025-1692)

The vulnerability allows a local user to execute arbitrary code on the target system.

The vulnerability exists due to control character injection via pasting. A local administrator can execute arbitrary code on the target system.

Remediation

Install update from vendor's website.

References

• https://jira.mongodb.org/browse/MONGOSH-2024
• https://github.com/advisories/GHSA-43g5-2wr2-q7vj
• https://jira.mongodb.org/browse/MONGOSH-2026
• https://github.com/advisories/GHSA-r95j-4jvf-mrrw
• https://jira.mongodb.org/browse/MONGOSH-2025
• https://github.com/advisories/GHSA-973h-3x6p-qg37