CVE-2025-1693
Last modified
CVE-2025-1693 is a medium-severity vulnerability rated 6.8/10 on the CVSS scale. The MongoDB Shell may be susceptible to control character injection where an attacker with control over the database cluster contents can inject control characters into the shell output. This may result in the display of falsified messages that appear to originate from mongosh or the underlying operating system, potentially misleading users into executing unsafe actions. The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker. This issue affects mongosh versions prior to 2.3.9. EPSS estimates a 0.19% chance of exploitation in the next 30 days.
Description
The MongoDB Shell may be susceptible to control character injection where an attacker with control over the database cluster contents can inject control characters into the shell output. This may result in the display of falsified messages that appear to originate from mongosh or the underlying operating system, potentially misleading users into executing unsafe actions. The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker. This issue affects mongosh versions prior to 2.3.9
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Mongodb | Mongosh | < 2.3.9 |
References
- https://jira.mongodb.org/browse/MONGOSH-2026Issue Tracking, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-1693?
How severe is CVE-2025-1693?
How do I fix CVE-2025-1693?
Are you affected by CVE-2025-1693?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST