Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Affecting @mongosh/shell-api package, versions <3.0.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-MONGOSHSHELLAPI-9005460
- published28 Feb 2025
- disclosed27 Feb 2025
- creditUnknown
Introduced: 27 Feb 2025
NewCVE-2025-1691 (opens in a new tab)How to fix?
Upgrade @mongosh/shell-api to version 3.0.0 or higher.
Overview
@mongosh/shell-api is a MongoDB Shell API Classes Package
Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') via the autocomplete feature. An attacker with control over the mongosh autocomplete feature can manipulate the autocompletion to input and execute obfuscated malicious text by tricking a user into using the 'tab' key to complete a command.
Note:
This is only exploitable when mongosh is connected to a cluster that is partially or fully controlled by the attacker.