3.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-1693

GHSA ID

GHSA-r95j-4jvf-mrrw

EPSS Score

0.19674%

CWE

CWE-150

Published

2/27/2025

Updated

2/27/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-1693

CVE-2025-1693: MongoDB Shell may be susceptible to control character Injection via shell output

The MongoDB Shell may be susceptible to control character injection where an attacker with control over the database cluster contents can inject control characters into the shell output. This may result in the display of falsified messages that appear to originate from mongosh or the underlying operating system, potentially misleading users into executing unsafe actions.

The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.

This issue affects mongosh versions prior to 2.3.9.

(GitHub Advisory)

3.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-1693

GHSA ID

GHSA-r95j-4jvf-mrrw

EPSS Score

0.19674%

CWE

CWE-150

Published

2/27/2025

Updated

2/27/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
mongosh	npm	< 2.3.9	2.3.9

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper neutralization of control sequences in shell output. Based on mongosh's architecture:

Output formatting functions like formatOutput would handle data presentation
Console methods like log would be primary output vectors
These locations likely process untrusted database content without adequate sanitization
Confidence is medium due to lack of direct patch evidence, but matches CWE-150 patterns in CLI tools

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** Mon*o** S**ll m*y ** sus**pti*l* to *ontrol ***r**t*r inj**tion w**r* *n *tt**k*r wit* *ontrol ov*r t** **t***s* *lust*r *ont*nts **n inj**t *ontrol ***r**t*rs into t** s**ll output. T*is m*y r*sult in t** *ispl*y o* **lsi*i** m*ss***s t**t *pp**

Reasoning

T** vuln*r**ility st*ms *rom improp*r n*utr*liz*tion o* *ontrol s*qu*n**s in s**ll output. **s** on mon*os*'s *r**it**tur*: *. Output *orm*ttin* *un*tions lik* *orm*tOutput woul* **n*l* **t* pr*s*nt*tion *. *onsol* m*t*o*s lik* lo* woul* ** prim*ry

3.9

Basic Information

Concerned about an active attack path?

CVE-2025-1693: MongoDB Shell may be susceptible to control character Injection via shell output

3.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI