CVE-2025-1756
📋 TL;DR
MongoDB Shell (mongosh) versions before 2.3.0 are vulnerable to local privilege escalation when a malicious file is placed in C:\node_modules\. This allows attackers with local access to execute arbitrary code with elevated privileges. Only Windows systems running vulnerable mongosh versions are affected.
💻 Affected Systems
- MongoDB Shell (mongosh)
📦 What is this software?
Codeready Linux Builder For Arm64 Eus by Redhat
View all CVEs affecting Codeready Linux Builder For Arm64 Eus →
Codeready Linux Builder For Ibm Z Systems Eus by Redhat
View all CVEs affecting Codeready Linux Builder For Ibm Z Systems Eus →
Codeready Linux Builder For Power Little Endian Eus by Redhat
View all CVEs affecting Codeready Linux Builder For Power Little Endian Eus →
Enterprise Linux For Ibm Z Systems by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems →
Enterprise Linux For Ibm Z Systems Eus by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
Enterprise Linux Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Update Services For Sap Solutions →
Mongosh by Mongodb
⚠️ Risk & Real-World Impact
Worst Case
An attacker with local access could gain SYSTEM/administrator privileges, install persistent malware, access sensitive data, or compromise the entire system.
Likely Case
Local user or malware could escalate privileges to install additional payloads, modify system configurations, or access other user data.
If Mitigated
With proper access controls and monitoring, impact is limited to the local user context with minimal lateral movement.
🎯 Exploit Status
Requires local access and ability to write to C:\node_modules\. No public exploit code is known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.3.0 and later
Vendor Advisory: https://jira.mongodb.org/browse/MONGOSH-2028
Restart Required: No
Instructions:
1. Download mongosh 2.3.0 or later from MongoDB website. 2. Uninstall previous mongosh version. 3. Install the updated version. 4. Verify installation with 'mongosh --version'.
🔧 Temporary Workarounds
Restrict write access to C:\node_modules\
windowsSet restrictive permissions on C:\node_modules\ directory to prevent unauthorized file creation.
icacls C:\node_modules\ /deny Everyone:(OI)(CI)(W)
🧯 If You Can't Patch
- Remove write permissions from C:\node_modules\ for non-administrative users.
- Monitor file creation events in C:\node_modules\ using Windows auditing or security tools.
🔍 How to Verify
Check if Vulnerable:
Check mongosh version and verify if running on Windows with vulnerable version installed.Check Version:
mongosh --versionVerify Fix Applied:
Confirm mongosh version is 2.3.0 or higher and verify C:\node_modules\ permissions are properly restricted.📡 Detection & Monitoring
Log Indicators:
- File creation events in C:\node_modules\ directory
- Unexpected privilege escalation events from mongosh processes
Network Indicators:
- None - this is a local exploit
SIEM Query:
EventID=4663 OR EventID=4656 AND ObjectName LIKE '%C:\\node_modules\\%'