CVE-2025-1755 – MongoDB Compass versions before 1.42.1 are vuln... (How to Fix)

📋 TL;DR

MongoDB Compass versions before 1.42.1 are vulnerable to local privilege escalation when a malicious file is placed in the C:\node_modules\ directory. This allows attackers with local access to execute arbitrary code with elevated privileges. Only users running vulnerable MongoDB Compass versions on Windows systems are affected.

💻 Affected Systems

Products:

MongoDB Compass

Versions: All versions prior to 1.42.1

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker ability to write files to C:\node_modules\ directory. MongoDB Compass must be installed and running.

📦 What is this software?

Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions by Redhat

View all CVEs affecting Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions →

Enterprise Linux Update Services For Sap Solutions by Redhat

View all CVEs affecting Enterprise Linux Update Services For Sap Solutions →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise where an attacker gains administrative privileges, installs persistent malware, accesses sensitive data, or disables security controls.

🟠

Likely Case

Local attacker gains elevated privileges to install software, modify system configurations, or access other user data on the same system.

🟢

If Mitigated

Attack limited to user-level access if proper file permissions prevent writing to C:\node_modules\ or if the vulnerability is patched.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring attacker access to the local filesystem.

🏢 Internal Only: MEDIUM - Internal users with local access could exploit this to gain elevated privileges on workstations or servers running vulnerable MongoDB Compass.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and ability to write to specific directory. No public exploit code available at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.42.1 or later

Vendor Advisory: https://jira.mongodb.org/browse/COMPASS-9058

Restart Required: No

Instructions:

1. Open MongoDB Compass. 2. Go to Help > Check for Updates. 3. Follow prompts to update to version 1.42.1 or later. 4. Alternatively, download latest version from MongoDB website and install.

🔧 Temporary Workarounds

Restrict C:\node_modules\ directory permissions

windows

Set restrictive permissions on the C:\node_modules\ directory to prevent unauthorized file writes.

icacls C:\node_modules\ /deny Everyone:(OI)(CI)(DE,DC,WD,AD,WA)

🧯 If You Can't Patch

Remove write permissions from C:\node_modules\ directory for non-administrative users.
Monitor for suspicious file creation in C:\node_modules\ directory using file integrity monitoring.

🔍 How to Verify

Check if Vulnerable:

Check MongoDB Compass version in Help > About. If version is below 1.42.1, system is vulnerable.

Check Version:

mongodb-compass --version

Verify Fix Applied:

Confirm MongoDB Compass version is 1.42.1 or higher in Help > About.

📡 Detection & Monitoring

Log Indicators:

File creation events in C:\node_modules\ directory from non-administrative users
MongoDB Compass process spawning unexpected child processes

Network Indicators:

None - this is a local privilege escalation vulnerability

SIEM Query:

EventID=4663 OR EventID=4656 AND ObjectName LIKE 'C:\\node_modules\\%' AND SubjectUserName NOT IN ('SYSTEM', 'Administrators')

📊 Metadata

CVE ID: CVE-2025-1755

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-426

EPSS Score: 0.02% exploit probability (5.3th percentile)

Published: February 27, 2025

Last Updated: April 9, 2025

🔗 References

https://jira.mongodb.org/browse/COMPASS-9058 Issue Tracking,Vendor Advisory
https://access.redhat.com/errata/RHSA-2025:1755.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-1755, you might also want to check these: