Description
The MongoDB Shell may be susceptible to control character injection where an attacker with control of the user’s clipboard could manipulate them to paste text into mongosh that evaluates arbitrary code. Control characters in the pasted text can be used to obfuscate malicious code. This issue affects mongosh versions prior to 2.3.9
References (1)
Core 1
Core References
Issue Tracking, Vendor Advisory
https://jira.mongodb.org/browse/MONGOSH-2025
Scores
CVSS v3
6.3
EPSS
0.0015
EPSS Percentile
34.9%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-150
Status
published
Products (2)
mongodb/mongosh
< 2.3.9
npm/mongosh
0 - 2.3.9npm
Published
Feb 27, 2025
Tracked Since
Feb 18, 2026