CVE-2025-1693— MongoDB Shell may be susceptible to control character Injection via shell output
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-1693
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
MongoDB Shell may be susceptible to control character Injection via shell output
Source: NVD (National Vulnerability Database)
Vulnerability Description
The MongoDB Shell may be susceptible to control character injection where an attacker with control over the database cluster contents can inject control characters into the shell output. This may result in the display of falsified messages that appear to originate from mongosh or the underlying operating system, potentially misleading users into executing unsafe actions. The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker. This issue affects mongosh versions prior to 2.3.9
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
转义、元或控制序列转义处理不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
MongoDB 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
MongoDB是美国MongoDB公司的一种面向文档的数据库管理系统。 MongoDB 2.3.9之前版本存在安全漏洞,该漏洞源于控制字符注入,可能导致伪造消息显示。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| MongoDB Inc | mongosh | 0 ~ 2.3.9 | cpe:2.3:a:mongodb:mongosh:0.2.2:*:*:*:*:*:*:* |
II. Public POCs for CVE-2025-1693
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-1693
请登录查看更多情报信息。
Same Patch Batch · MongoDB Inc · 2025-02-27 · 5 CVEs total
| CVE-2025-1691 | 7.6 HIGH | MongoDB Shell may be susceptible to Control Character Injection via autocomplete |
| CVE-2025-1755 | 7.5 HIGH | MongoDB Compass may be susceptible to local privilege escalation in Windows |
| CVE-2025-1756 | 7.5 HIGH | MongoDB Shell may be susceptible to local privilege escalation in Windows |
| CVE-2025-1692 | 6.3 MEDIUM | MongoDB Shell may be susceptible to control character injection via pasting |
IV. Related Vulnerabilities
Same vendor: MongoDB Inc
- CVE-2026-4359
Heap-buffer-over-read in _mongoc_http_send via strstr on non - CVE-2026-4358
Memory safety issues in slot-based execution hash table spil - CVE-2026-4148
ExpressionContext use-after-free in classic engine $lookup a - CVE-2026-4147
Stack memory disclosure in filemd5 command - CVE-2026-2303
Heap Out-of-Bounds Read in Go Driver GSSAPI C Wrappers enabl
Same weakness: CWE-150
- CVE-2026-41526
KCoreAddons 安全漏洞 - CVE-2026-6019
BaseCookie.js_output() does not neutralize embedded characte - CVE-2026-40505
MuPDF < 1.27 mutool ANSI Injection via Metadata - CVE-2026-26149
Microsoft Power Apps Desktop Client Spoofing Vulnerability - CVE-2026-35651
OpenClaw 2026.2.13 < 2026.3.25 - ANSI Escape Sequence Inject
V. Comments for CVE-2025-1693
No comments yet