GHSA-r95j-4jvf-mrrw

Suggest an improvement
Source
https://github.com/advisories/GHSA-r95j-4jvf-mrrw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-r95j-4jvf-mrrw/GHSA-r95j-4jvf-mrrw.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-r95j-4jvf-mrrw
Aliases
  • CVE-2025-1693
Published
2025-02-27T15:31:51Z
Modified
2025-02-27T17:42:32.177689Z
Severity
  • 3.9 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L CVSS Calculator
Summary
MongoDB Shell may be susceptible to control character Injection via shell output
Details

The MongoDB Shell may be susceptible to control character injection where an attacker with control over the database cluster contents can inject control characters into the shell output. This may result in the display of falsified messages that appear to originate from mongosh or the underlying operating system, potentially misleading users into executing unsafe actions.

The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.

This issue affects mongosh versions prior to 2.3.9.

Database specific 
{
    "github_reviewed_at": "2025-02-27T17:16:09Z",
    "cwe_ids": [
        "CWE-150"
    ],
    "nvd_published_at": "2025-02-27T13:15:11Z",
    "severity": "LOW",
    "github_reviewed": true
}
References

Affected packages

npm / mongosh

Package

Name
mongosh
View open source insights on deps.dev
Purl
pkg:npm/mongosh

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.3.9