CVE-2025-1756
Published: 27 February 2025
Summary
CVE-2025-1756 is a high-severity Untrusted Search Path (CWE-426) vulnerability in Mongodb Mongosh. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 11.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-11 (User-installed Software).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the CVE by requiring timely flaw remediation through upgrading mongosh to version 2.3.0 or later, eliminating the untrusted search path vulnerability.
Restricts user-installed software and prohibits placement of crafted malicious files in exploitable directories like C:\node_modules\, preventing the initial exploitation setup.
Deploys malicious code protection mechanisms to scan for and block execution of the crafted file loaded via the untrusted search path during privilege escalation attempts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-1756 enables local privilege escalation in mongosh via a crafted file in C:\node_modules\, facilitating exploitation for privilege escalation.
NVD Description
mongosh may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user's system with elevated privilege, when a crafted file is stored in C:\node_modules\. This issue affects mongosh prior to 2.3.0
Deeper analysisAI
CVE-2025-1756 is a local privilege escalation vulnerability in mongosh, affecting versions prior to 2.3.0. The flaw occurs under certain conditions when a crafted file is stored in C:\node_modules\, potentially enabling unauthorized actions on a user's system with elevated privileges. It is linked to CWE-426 (Untrusted Search Path) and carries a CVSS v3.1 base score of 7.5 (AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H), indicating high severity with local access required, high complexity, low privileges, and user interaction.
A local attacker with low privileges can exploit this vulnerability by placing a crafted file in the C:\node_modules\ directory. Exploitation demands high attack complexity and relies on user interaction, likely involving the execution of mongosh in an environment that loads the malicious file via an untrusted search path. Upon success, the attacker achieves privilege escalation, resulting in high impacts to confidentiality, integrity, and availability across the system's scope.
MongoDB's advisory at https://jira.mongodb.org/browse/MONGOSH-2028 and Red Hat's errata at https://access.redhat.com/errata/RHSA-2025:1756 detail the issue. Mitigation requires upgrading to mongosh 2.3.0 or later, which addresses the vulnerability.
Details
- CWE(s)