CVE-2025-1691
Published: 27 February 2025
Summary
CVE-2025-1691 is a high-severity Injection (CWE-74) vulnerability in Mongodb Mongosh. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked in the top 40.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2025-1691 by requiring timely patching and updating of mongosh to version 2.3.9 or later to fix the control character injection flaw.
Prevents exploitation of the autocomplete feature by enforcing input validation to neutralize control characters and malicious text from attacker-controlled clusters.
Identifies deployments of vulnerable mongosh versions prior to 2.3.9 through regular vulnerability scanning, enabling remediation before exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables injection and execution of arbitrary commands/text within the mongosh command interpreter (T1059) when the user interacts by pressing tab (T1204).
NVD Description
The MongoDB Shell may be susceptible to control character injection where an attacker with control of the mongosh autocomplete feature, can use the autocompletion feature to input and run obfuscated malicious text. This requires user interaction in the form of…
more
the user using ‘tab’ to autocomplete text that is a prefix of the attacker’s prepared autocompletion. This issue affects mongosh versions prior to 2.3.9. The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.
Deeper analysisAI
CVE-2025-1691 is a control character injection vulnerability in the MongoDB Shell, known as mongosh. It allows an attacker with control over the mongosh autocomplete feature to inject and execute obfuscated malicious text through the autocompletion mechanism. The issue requires user interaction, specifically pressing the 'tab' key to autocomplete text that matches a prefix prepared by the attacker. This vulnerability affects mongosh versions prior to 2.3.9.
Exploitation is possible only when mongosh is connected to a MongoDB cluster that is partially or fully controlled by the attacker. The attacker needs high privileges (PR:H) on the cluster, network access (AV:N), and must overcome high attack complexity (AC:H), along with tricking the user into required interaction (UI:R). Successful exploitation can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) with a changed scope (S:C), earning a CVSS v3.1 base score of 7.6. The associated CWE is CWE-74.
Mitigation requires upgrading to mongosh version 2.3.9 or later. Additional details are available in the MongoDB advisory at https://jira.mongodb.org/browse/MONGOSH-2024.
Details
- CWE(s)