CVE-2025-1691 – This CVE describes a control character injectio... (How to Fix)

Q: What is the severity of CVE-2025-1691?

CVE-2025-1691 has a CVSS score of 7.6 (HIGH). This CVE describes a control character injection vulnerability in MongoDB Shell (mongosh) where an attacker controlling a MongoDB cluster can craft malicious autocomplete suggestions. When users press 'tab' to autocomplete commands, they may inadvertently execute obfuscated malicious code. This affects mongosh users connecting to untrusted or compromised MongoDB clusters.

📋 TL;DR

This CVE describes a control character injection vulnerability in MongoDB Shell (mongosh) where an attacker controlling a MongoDB cluster can craft malicious autocomplete suggestions. When users press 'tab' to autocomplete commands, they may inadvertently execute obfuscated malicious code. This affects mongosh users connecting to untrusted or compromised MongoDB clusters.

💻 Affected Systems

Products:

MongoDB Shell (mongosh)

Versions: All versions prior to 2.3.9

Operating Systems: All platforms running mongosh

Default Config Vulnerable: ⚠️ Yes

Notes: Only exploitable when connecting to attacker-controlled MongoDB clusters. Requires user interaction (pressing tab for autocomplete).

📦 What is this software?

Mongosh by Mongodb

View all CVEs affecting Mongosh →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of the client system running mongosh, allowing arbitrary code execution, data exfiltration, or lateral movement within the network.

🟠

Likely Case

Limited command execution within mongosh session, potentially exposing sensitive data or allowing database manipulation.

🟢

If Mitigated

No impact if users only connect to trusted clusters and follow security best practices.

🌐 Internet-Facing: LOW

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires attacker to control MongoDB cluster and social engineering to get user to connect and use autocomplete.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.9 and later

Vendor Advisory: https://jira.mongodb.org/browse/MONGOSH-2024

Restart Required: No

Instructions:

1. Update mongosh using your package manager (npm, brew, apt, etc.) 2. Run: npm update -g mongosh (for npm installs) 3. Verify version with: mongosh --version

🔧 Temporary Workarounds

Disable autocomplete

all

Temporarily disable the autocomplete feature in mongosh to prevent exploitation

mongosh --no-autocomplete

🧯 If You Can't Patch

Only connect mongosh to trusted, verified MongoDB clusters
Train users to avoid using autocomplete when connecting to unfamiliar clusters

🔍 How to Verify

Check if Vulnerable:

Check mongosh version: mongosh --version

Check Version:

mongosh --version

Verify Fix Applied:

Confirm version is 2.3.9 or higher: mongosh --version

📡 Detection & Monitoring

Log Indicators:

Unusual command sequences in mongosh logs
Unexpected database operations from mongosh sessions

Network Indicators:

mongosh connections to untrusted or suspicious MongoDB endpoints

SIEM Query:

process.name="mongosh" AND network.destination.ip NOT IN [trusted_cluster_ips]

📊 Metadata

CVE ID: CVE-2025-1691

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-74

EPSS Score: 0.23% exploit probability (45.9th percentile)

Published: February 27, 2025

Last Updated: September 22, 2025

🔗 References

https://jira.mongodb.org/browse/MONGOSH-2024 Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-1691, you might also want to check these: