CVE-2024-6376: ejson shell parser in MongoDB Compass maybe bypassed

July 1, 2024 (updated February 27, 2025)

MongoDB Compass may be susceptible to code injection due to insufficient sandbox protection settings with the usage of ejson shell parser in Compass’ connection handling. This issue affects MongoDB Compass versions prior to version 1.42.2.

References

github.com/advisories/GHSA-jxr4-4prv-mh83
github.com/mongodb-js/compass
github.com/mongodb-js/compass/commit/b1f8050d49d66be3bc499cb317a1e1de45390e51
jira.mongodb.org/browse/COMPASS-7496
nvd.nist.gov/vuln/detail/CVE-2024-6376

Detect and mitigate CVE-2024-6376 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →