Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Affecting @mongosh/cli-repl package, versions <2.3.9
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-MONGOSHCLIREPL-9005459
- published28 Feb 2025
- disclosed27 Feb 2025
- creditUnknown
Introduced: 27 Feb 2025
NewCVE-2025-1691 (opens in a new tab)How to fix?
Upgrade @mongosh/cli-repl to version 2.3.9 or higher.
Overview
@mongosh/cli-repl is a MongoDB Shell CLI REPL Package
Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') via the autocomplete feature. An attacker with control over the mongosh autocomplete feature can manipulate the autocompletion to input and execute obfuscated malicious text by tricking a user into using the 'tab' key to complete a command.
Note:
This is only exploitable when mongosh is connected to a cluster that is partially or fully controlled by the attacker.