CVE-2025-1693: MongoDB Shell may be susceptible to control character Injection via shell output

February 27, 2025

The MongoDB Shell may be susceptible to control character injection where an attacker with control over the database cluster contents can inject control characters into the shell output. This may result in the display of falsified messages that appear to originate from mongosh or the underlying operating system, potentially misleading users into executing unsafe actions.

The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.

This issue affects mongosh versions prior to 2.3.9.

References

github.com/advisories/GHSA-r95j-4jvf-mrrw
github.com/mongodb-js/mongosh
jira.mongodb.org/browse/MONGOSH-2026
nvd.nist.gov/vuln/detail/CVE-2025-1693

Detect and mitigate CVE-2025-1693 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →