CVE-2025-1693

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-1693

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-1693.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-1693

Aliases

GHSA-r95j-4jvf-mrrw

Published

2025-02-27T13:15:11.563Z

Modified

2026-04-10T05:25:53.782771Z

Severity

6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H CVSS Calculator

Summary

[none]

Details

The MongoDB Shell may be susceptible to control character injection where an attacker with control over the database cluster contents can inject control characters into the shell output. This may result in the display of falsified messages that appear to originate from mongosh or the underlying operating system, potentially misleading users into executing unsafe actions.

The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.

This issue affects mongosh versions prior to 2.3.9

References

https://jira.mongodb.org/browse/MONGOSH-2026

Affected packages

Git / github.com/mongodb-js/mongosh

Affected ranges

Type

GIT

Repo

https://github.com/mongodb-js/mongosh

Events

Introduced

Fixed

bfb783bc891cacfc1967c38e478eb360e4fc46f8

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.3.9"
        }
    ]
}

Affected versions

0.*

0.0.2

@mongosh/arg-parser@3.*

@mongosh/arg-parser@3.0.0

@mongosh/async-rewriter2@2.*

@mongosh/async-rewriter2@2.4.0

@mongosh/autocomplete@3.*

@mongosh/autocomplete@3.0.0

@mongosh/browser-repl@3.*

@mongosh/browser-repl@3.0.0

@mongosh/browser-runtime-core@3.*

@mongosh/browser-runtime-core@3.0.0

@mongosh/browser-runtime-electron@3.*

@mongosh/browser-runtime-electron@3.0.0

@mongosh/build@3.*

@mongosh/build@3.0.0

@mongosh/connectivity-tests@2.*

@mongosh/connectivity-tests@2.4.0

@mongosh/docker-build-scripts@3.*

@mongosh/docker-build-scripts@3.0.0

@mongosh/e2e-tests@3.*

@mongosh/e2e-tests@3.0.0

@mongosh/editor@3.*

@mongosh/editor@3.0.0

@mongosh/errors@2.*

@mongosh/errors@2.4.0

@mongosh/history@2.*

@mongosh/history@2.4.0

@mongosh/i18n@2.*

@mongosh/i18n@2.4.0

@mongosh/java-shell@2.*

@mongosh/java-shell@2.4.0

@mongosh/js-multiline-to-singleline@2.*

@mongosh/js-multiline-to-singleline@2.4.0

@mongosh/logging@3.*

@mongosh/logging@3.0.0

@mongosh/node-runtime-worker-thread@3.*

@mongosh/node-runtime-worker-thread@3.0.0

@mongosh/service-provider-core@3.*

@mongosh/service-provider-core@3.0.0

@mongosh/service-provider-node-driver@3.*

@mongosh/service-provider-node-driver@3.0.0

@mongosh/shell-api@3.*

@mongosh/shell-api@3.0.0

@mongosh/shell-evaluator@3.*

@mongosh/shell-evaluator@3.0.0

@mongosh/snippet-manager@3.*

@mongosh/snippet-manager@3.0.0

@mongosh/types@3.*

@mongosh/types@3.0.0

v0.*

v0.0.1

v0.0.1-alpha.0

v0.0.1-alpha.1

v0.0.1-alpha.10

v0.0.1-alpha.11

v0.0.1-alpha.12

v0.0.1-alpha.13

v0.0.1-alpha.15

v0.0.1-alpha.17

v0.0.1-alpha.18

v0.0.1-alpha.19

v0.0.1-alpha.2

v0.0.1-alpha.3

v0.0.1-alpha.4

v0.0.1-alpha.5

v0.0.1-alpha.6

v0.0.1-alpha.7

v0.0.1-alpha.8

v0.0.1-alpha.9

v0.0.2

v0.0.2-alpha.0

v0.0.3

v0.0.4

v0.0.5

v0.0.6

v0.0.7

v0.0.8

v0.1.0

v0.10.0

v0.10.0-draft.0

v0.10.1

v0.10.1-draft.0

v0.11.0

v0.11.0-draft.0

v0.11.0-draft.1

v0.11.0-draft.2

v0.12.0

v0.12.0-draft.0

v0.12.1

v0.12.1-draft.0

v0.13.0

v0.13.0-draft.0

v0.13.0-draft.1

v0.13.1

v0.13.1-draft.0

v0.13.2

v0.13.2-draft.0

v0.14.0

v0.14.0-draft.0

v0.14.1-draft.0

v0.15.0

v0.15.0-draft.0

v0.15.1

v0.15.1-draft.0

v0.15.2

v0.15.2-draft.0

v0.15.3

v0.15.3-draft.0

v0.15.3-draft.1

v0.15.4

v0.15.4-draft.0

v0.15.5

v0.15.5-draft.0

v0.15.6

v0.15.6-draft.0

v0.2.0

v0.2.1

v0.2.2

v0.3.0

v0.3.1

v0.4.0

v0.4.1

v0.4.2

v0.5.0

v0.5.1

v0.5.2

v0.6.0

v0.6.1

v0.7.0

v0.7.0-draft.1

v0.7.0-draft.2

v0.7.0-draft.3

v0.7.0-draft.4

v0.7.0-draft.5

v0.7.0-draft.6

v0.7.0-draft.7

v0.7.0-draft.8

v0.7.0-draft.9

v0.7.0-testrelease

v0.7.0-testrelease1

v0.7.0-testrelease2

v0.7.1

v0.7.1-draft.1

v0.7.2

v0.7.2-draft.1

v0.7.3

v0.7.4

v0.7.5

v0.7.6

v0.7.7

v0.8.0

v0.8.0-draft.0

v0.8.0-draft.1

v0.8.0-draft.10

v0.8.0-draft.11

v0.8.0-draft.2

v0.8.0-draft.3

v0.8.0-draft.4

v0.8.0-draft.5

v0.8.0-draft.6

v0.8.0-draft.7

v0.8.0-draft.8

v0.8.0-draft.9

v0.8.1

v0.8.1-draft.2

v0.8.1-draft.3

v0.8.2

v0.8.2-draft.0

v0.8.3

v0.8.3-draft.0

v0.8.3-draft.1

v0.8.3-draft.2

v0.8.3-draft.3

v0.8.3-draft.4

v0.9.0

v0.9.0-draft.0

v1.*

v1.0.0

v1.0.0-draft.0

v1.0.0-draft.1

v1.0.1

v1.0.1-draft.0

v1.0.2

v1.0.2-draft.0

v1.0.3

v1.0.3-draft.0

v1.0.4

v1.0.4-draft.0

v1.0.5

v1.0.5-draft.0

v1.0.6

v1.0.6-draft.0

v1.0.6-draft.1

v1.0.6-draft.2

v1.0.6-draft.3

v1.0.6-draft.4

v1.0.7

v1.0.7-draft.0

v1.1.0

v1.1.0-draft.0

v1.1.1

v1.1.1-draft.0

v1.1.2

v1.1.2-draft.0

v1.1.3

v1.1.3-draft.0

v1.1.4

v1.1.4-draft.0

v1.1.5

v1.1.5-draft.0

v1.1.5-draft.1

v1.1.6

v1.1.6-draft.0

v1.1.7

v1.1.7-draft.0

v1.1.7-draft.1

v1.1.8

v1.1.8-draft.0

v1.1.8-draft.1

v1.1.8-draft.2

v1.1.8-draft.3

v1.1.8-draft.4

v1.1.8-draft.5

v1.1.8-draft.6

v1.1.8-draft.7

v1.1.8-draft.8

v1.1.9

v1.1.9-draft.0

v1.1.9-draft.1

v1.10.0

v1.10.0-draft.0

v1.10.1

v1.10.1-draft.0

v1.10.2

v1.10.2-draft.0

v1.10.3

v1.10.3-draft.0

v1.10.4

v1.10.4-draft.0

v1.10.5

v1.10.5-draft.0

v1.10.5-draft.1

v1.10.6

v1.10.6-draft.0

v1.10.6-draft.1

v1.2.0

v1.2.0-draft.0

v1.2.1

v1.2.1-draft.0

v1.2.2

v1.2.2-draft.0

v1.2.2-draft.1

v1.2.3

v1.2.3-draft.0

v1.2.3-draft.1

v1.3.0

v1.3.0-draft.0

v1.3.1

v1.3.1-draft.0

v1.4.0

v1.4.0-draft.0

v1.4.1

v1.4.1-draft.0

v1.4.2

v1.4.2-draft.0

v1.5.0

v1.5.0-draft.0

v1.5.0-draft.1

v1.5.0-draft.2

v1.5.0-draft.3

v1.5.0-draft.4

v1.5.0-draft.5

v1.5.1

v1.5.1-draft.0

v1.5.1-draft.1

v1.5.1-draft.2

v1.5.2

v1.5.2-draft.0

v1.5.3

v1.5.3-draft.0

v1.5.4

v1.5.4-draft.0

v1.6.0

v1.6.0-draft.0

v1.6.1

v1.6.1-draft.0

v1.6.2

v1.6.2-draft.0

v1.7.0

v1.7.0-draft.0

v1.7.1

v1.7.1-draft.0

v1.8.0

v1.8.0-draft.0

v1.8.1

v1.8.1-draft.0

v1.8.2

v1.8.2-draft.0

v1.9.0

v1.9.0-draft.0

v1.9.1

v1.9.1-draft.0

v2.*

v2.0.0

v2.0.0-draft.0

v2.0.0-draft.1

v2.0.0-draft.2

v2.0.0-draft.3

v2.0.0-draft.4

v2.0.1

v2.0.1-draft.0

v2.0.2

v2.0.2-draft.0

v2.1.0

v2.1.0-draft.0

v2.1.0-draft.1

v2.1.1

v2.1.1-draft.0

v2.1.2

v2.1.2-draft.2

v2.1.3

v2.1.3-draft.0

v2.1.3-draft.1

v2.1.3-draft.2

v2.1.3-draft.3

v2.1.4

v2.1.4-draft.0

v2.1.5

v2.1.5-draft.0

v2.1.5-draft.1

v2.1.5-draft.2

v2.2.0

v2.2.0-draft.0

v2.2.0-draft.1

v2.2.1

v2.2.1-draft.0

v2.2.1-draft.1

v2.2.10

v2.2.10-draft.0

v2.2.11

v2.2.11-draft.0

v2.2.11-draft.1

v2.2.12

v2.2.12-draft.0

v2.2.12-draft.1

v2.2.13

v2.2.13-draft.0

v2.2.13-draft.1

v2.2.14

v2.2.14-draft.0

v2.2.15

v2.2.15-draft.0

v2.2.2

v2.2.2-draft.0

v2.2.3

v2.2.3-draft.0

v2.2.4

v2.2.4-draft.0

v2.2.4-draft.1

v2.2.4-draft.2

v2.2.4-draft.3

v2.2.4-draft.4

v2.2.5

v2.2.5-draft.0

v2.2.6

v2.2.6-draft.0

v2.2.7

v2.2.7-draft.0

v2.2.8

v2.2.8-draft.0

v2.2.9

v2.2.9-draft.0

v2.3.0

v2.3.0-draft.0

v2.3.1

v2.3.1-draft.0

v2.3.2

v2.3.2-draft.0

v2.3.3

v2.3.3-draft.0

v2.3.4

v2.3.4-draft.0

v2.3.5

v2.3.5-draft.0

v2.3.6

v2.3.6-draft.0

v2.3.7

v2.3.7-draft.0

v2.3.8

v2.3.8-draft.0

v2.3.9-draft.0

v2.3.9-draft.1

v2.3.9-draft.10

v2.3.9-draft.11

v2.3.9-draft.12

v2.3.9-draft.2

v2.3.9-draft.3

v2.3.9-draft.4

v2.3.9-draft.5

v2.3.9-draft.6

v2.3.9-draft.7

v2.3.9-draft.8

v2.3.9-draft.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-1693.json"