Detections
Analytics

MongoDB Shell < 2.3.9 Control Character Injection (MONGOSH-2024, MONGOSH-2025, MONGOSH-2026)

high Nessus Plugin ID 234125

Language:

Synopsis

The remote host is missing a security update.

Description

The version of MongoDB Shell installed on the remote host is prior to 2.3.9. It is, therefore, affected by a vulnerability as referenced in the MONGOSH-2024, MONGOSH-2025, MONGOSH-2026 advisories.

 - The MongoDB Shell may be susceptible to control character injection where an attacker with control of the mongosh autocomplete feature, can use the autocompletion feature to input and run obfuscated malicious text. This requires user interaction in the form of the user using ‘tab’ to autocomplete text that is a prefix of the attacker’s prepared autocompletion. This issue affects mongosh versions prior to 2.3.9. The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker. (CVE-2025-1691)

 - The MongoDB Shell may be susceptible to control character injection where an attacker with control of the user’s clipboard could manipulate them to paste text into mongosh that evaluates arbitrary code. Control characters in the pasted text can be used to obfuscate malicious code. This issue affects mongosh versions prior to 2.3.9 (CVE-2025-1692)

 - The MongoDB Shell may be susceptible to control character injection where an attacker with control over the database cluster contents can inject control characters into the shell output. This may result in the display of falsified messages that appear to originate from mongosh or the underlying operating system, potentially misleading users into executing unsafe actions. The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker. This issue affects mongosh versions prior to 2.3.9 (CVE-2025-1693)

 Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to MongoDB Shell version 2.3.9 or later.

See Also

https://jira.mongodb.org/browse/MONGOSH-2024

https://jira.mongodb.org/browse/MONGOSH-2025

https://jira.mongodb.org/browse/MONGOSH-2026

Plugin Details

Severity: High

ID: 234125

File Name: mongodb_shell_2_3_9.nasl

Version: 1.1

Type: combined

Agent: windows, macosx, unix

Family: Misc.

Published: 4/10/2025

Updated: 4/10/2025

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.5

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2025-1691

CVSS v3

Risk Factor: High

Base Score: 7.6

Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

CVSS Score Source: CVE-2025-1691

Vulnerability Information

CPE: x-cpe:/a:mongodb:mongodb_shell

Required KB Items: installed_sw/MongoDB Shell

Patch Publication Date: 2/27/2025

Vulnerability Publication Date: 2/27/2025

Reference Information

CVE: CVE-2025-1691, CVE-2025-1692, CVE-2025-1693

IAVB: 2025-B-0037