Improper Neutralization Affecting @mongosh/cli-repl package, versions <2.3.9

Q: How to fix?

Upgrade @mongosh/cli-repl to version 2.3.9 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-JS-MONGOSHCLIREPL-9005462
published28 Feb 2025
disclosed27 Feb 2025
creditUnknown

Report a new vulnerability Found a mistake?

Introduced: 27 Feb 2025

NewCVE-2025-1692 (opens in a new tab) CWE-150 (opens in a new tab)

How to fix?

Upgrade @mongosh/cli-repl to version 2.3.9 or higher.

Overview

@mongosh/cli-repl is a MongoDB Shell CLI REPL Package

Affected versions of this package are vulnerable to Improper Neutralization via pasting into the MongoDB Shell. An attacker with control of the user's clipboard could manipulate them to paste text into mongosh that evaluates arbitrary code. Control characters in the pasted text can be used to obfuscate malicious code.

References

CVSS Scores

version 4.0

version 3.1

Attack Vector (AV)
Local
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
High
User Interaction (UI)
All

Confidentiality (VC)
High
Integrity (VI)
High
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None