fkie_nvd - fkie_cve-2025-1755

FKIE_CVE-2025-1755

Vulnerability from fkie_nvd - Published: 2025-02-27 16:15 - Updated: 2025-04-09 14:07

Severity ?

7.5 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

MongoDB Compass may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user's system with elevated privileges, when a crafted file is stored in C:\node_modules\. This issue affects MongoDB Compass prior to 1.42.1

References

	URL	Tags
	cna@mongodb.com	https://jira.mongodb.org/browse/COMPASS-9058	Vendor Advisory, Issue Tracking
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://access.redhat.com/errata/RHSA-2025:1755.html	Third Party Advisory

Impacted products

Vendor	Product	Version
mongodb	compass	*
microsoft	windows	-
redhat	enterprise_linux_for_arm_64	9.0_aarch64
redhat	enterprise_linux_for_ibm_z_systems	9.0_s390x
redhat	enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions	9.0_ppc64le
redhat	enterprise_linux_update_services_for_sap_solutions	9.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mongodb:compass:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1AF4CC4A-586E-4EEC-A2F8-0EA8CA343459",
              "versionEndExcluding": "1.42.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_for_arm_64:9.0_aarch64:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F7DAD7C-9369-4A87-A1D0-4208D3AF0CDC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:9.0_s390x:*:*:*:*:*:*:*",
              "matchCriteriaId": "FB056B47-1F45-4CE4-81F6-872F66C24C29",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:9.0_ppc64le:*:*:*:*:*:*:*",
              "matchCriteriaId": "3DA48001-66CC-4E71-A944-68D7D654031E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_update_services_for_sap_solutions:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "083AAC55-E87B-482A-A1F4-8F2DEB90CB23",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "MongoDB Compass may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user\u0027s system with elevated privileges, when a crafted file is stored in C:\\node_modules\\. This issue affects MongoDB Compass prior to 1.42.1"
    },
    {
      "lang": "es",
      "value": "MongoDB Compass puede ser susceptible a una escalada de privilegios locales en determinadas condiciones, lo que podr\u00eda permitir acciones no autorizadas en el sistema de un usuario con privilegios elevados, cuando un archivo manipulado se almacena en C:\\node_modules\\. Este problema afecta a MongoDB Compass anterior a la versi\u00f3n 1.42.1."
    }
  ],
  "id": "CVE-2025-1755",
  "lastModified": "2025-04-09T14:07:43.140",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 0.8,
        "impactScore": 6.0,
        "source": "cna@mongodb.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-02-27T16:15:39.137",
  "references": [
    {
      "source": "cna@mongodb.com",
      "tags": [
        "Vendor Advisory",
        "Issue Tracking"
      ],
      "url": "https://jira.mongodb.org/browse/COMPASS-9058"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2025:1755.html"
    }
  ],
  "sourceIdentifier": "cna@mongodb.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-426"
        }
      ],
      "source": "cna@mongodb.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-426"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CVE-2025-1755 (GCVE-0-2025-1755)

Vulnerability from cvelistv5 – Published: 2025-02-27 15:24 – Updated: 2025-02-27 16:07

Summary

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-426 - Untrusted Search Path

Assigner

mongodb

References

URL

Tags

https://jira.mongodb.org/browse/COMPASS-9058

Impacted products

	Vendor	Product	Version
	MongoDB Inc	MongoDB Compass	Affected: 0 , < 1.42.1 (custom) cpe:2.3:a:mongodb:compass:1.0:::::::* cpe:2.3:a:mongodb:compass:1.1:::::::* cpe:2.3:a:mongodb:compass:1.2:::::::* cpe:2.3:a:mongodb:compass:1.3:::::::* cpe:2.3:a:mongodb:compass:1.4:::::::* cpe:2.3:a:mongodb:compass:1.5:::::::* cpe:2.3:a:mongodb:compass:1.6:::::::* cpe:2.3:a:mongodb:compass:1.7:::::::* cpe:2.3:a:mongodb:compass:1.8:::::::* cpe:2.3:a:mongodb:compass:1.9:::::::* cpe:2.3:a:mongodb:compass:1.10:::::::* cpe:2.3:a:mongodb:compass:1.11:::::::* cpe:2.3:a:mongodb:compass:1.12:::::::* cpe:2.3:a:mongodb:compass:1.13:::::::* cpe:2.3:a:mongodb:compass:1.14:::::::* cpe:2.3:a:mongodb:compass:1.15:::::::* cpe:2.3:a:mongodb:compass:1.16:::::::* cpe:2.3:a:mongodb:compass:1.17:::::::* cpe:2.3:a:mongodb:compass:1.18:::::::* cpe:2.3:a:mongodb:compass:1.19:::::::* cpe:2.3:a:mongodb:compass:1.20:::::::* cpe:2.3:a:mongodb:compass:1.21:::::::* cpe:2.3:a:mongodb:compass:1.22:::::::* cpe:2.3:a:mongodb:compass:1.23:::::::* cpe:2.3:a:mongodb:compass:1.24.1:::::::* cpe:2.3:a:mongodb:compass:1.25.0:::::::* cpe:2.3:a:mongodb:compass:1.26.0:::::::* cpe:2.3:a:mongodb:compass:1.26.1:::::::* cpe:2.3:a:mongodb:compass:1.28.1:::::::* cpe:2.3:a:mongodb:compass:1.28.4:::::::* cpe:2.3:a:mongodb:compass:1.29.4:::::::* cpe:2.3:a:mongodb:compass:1.29.5:::::::* cpe:2.3:a:mongodb:compass:1.29.6:::::::* cpe:2.3:a:mongodb:compass:1.30.1:::::::* cpe:2.3:a:mongodb:compass:1.31.0:::::::* cpe:2.3:a:mongodb:compass:1.31.1:::::::* cpe:2.3:a:mongodb:compass:1.31.2:::::::* cpe:2.3:a:mongodb:compass:1.31.3:::::::* cpe:2.3:a:mongodb:compass:1.32.0:::::::* cpe:2.3:a:mongodb:compass:1.32.1:::::::* cpe:2.3:a:mongodb:compass:1.32.2:::::::* cpe:2.3:a:mongodb:compass:1.32.3:::::::* cpe:2.3:a:mongodb:compass:1.33.0:::::::* cpe:2.3:a:mongodb:compass:1.33.1:::::::* cpe:2.3:a:mongodb:compass:1.34.1:::::::* cpe:2.3:a:mongodb:compass:1.34.2:::::::* cpe:2.3:a:mongodb:compass:1.35.0:::::::* cpe:2.3:a:mongodb:compass:1.36.0:::::::* cpe:2.3:a:mongodb:compass:1.36.2:::::::* cpe:2.3:a:mongodb:compass:1.37.0:::::::* cpe:2.3:a:mongodb:compass:1.38.0:::::::* cpe:2.3:a:mongodb:compass:1.38.1:::::::* cpe:2.3:a:mongodb:compass:1.38.2:::::::* cpe:2.3:a:mongodb:compass:1.39.0:::::::* cpe:2.3:a:mongodb:compass:1.39.1:::::::* cpe:2.3:a:mongodb:compass:1.39.2:::::::* cpe:2.3:a:mongodb:compass:1.39.3:::::::* cpe:2.3:a:mongodb:compass:1.39.4:::::::* cpe:2.3:a:mongodb:compass:1.40.0:::::::* cpe:2.3:a:mongodb:compass:1.40.1:::::::* cpe:2.3:a:mongodb:compass:1.40.2:::::::* cpe:2.3:a:mongodb:compass:1.40.3:::::::* cpe:2.3:a:mongodb:compass:1.40.4:::::::* cpe:2.3:a:mongodb:compass:1.41.0:::::::* cpe:2.3:a:mongodb:compass:1.42.0:::::::*

Credits

T. Doğa Gelişli

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-1755",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T16:07:15.336525Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T16:07:45.320Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "third-party-advisory"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2025:1755.html"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:mongodb:compass:1.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.1:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.2:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.3:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.4:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.5:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.6:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.7:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.8:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.9:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.10:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.11:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.12:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.13:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.14:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.15:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.16:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.17:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.18:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.19:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.20:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.21:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.22:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.23:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.24.1:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.25.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.26.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.26.1:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.28.1:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.28.4:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.29.4:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.29.5:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.29.6:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.30.1:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.31.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.31.1:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.31.2:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.31.3:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.32.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.32.1:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.32.2:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.32.3:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.33.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.33.1:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.34.1:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.34.2:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.35.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.36.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.36.2:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.37.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.38.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.38.1:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.38.2:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.39.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.39.1:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.39.2:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.39.3:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.39.4:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.40.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.40.1:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.40.2:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.40.3:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.40.4:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.41.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:mongodb:compass:1.42.0:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "MongoDB Compass",
          "vendor": "MongoDB Inc",
          "versions": [
            {
              "lessThan": "1.42.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003e\u003cp\u003eOnly environments with Windows as the underlying operating system is affected by this issue\u003c/p\u003e\u003c/div\u003e"
            }
          ],
          "value": "Only environments with Windows as the underlying operating system is affected by this issue"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "T. Do\u011fa Geli\u015fli"
        }
      ],
      "datePublic": "2025-02-27T13:08:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eMongoDB Compass may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user\u0027s system with elevated privileges, when a crafted file is stored in C:\\node_modules\\. This issue affects MongoDB Compass prior to 1.42.1\u003c/p\u003e"
            }
          ],
          "value": "MongoDB Compass may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user\u0027s system with elevated privileges, when a crafted file is stored in C:\\node_modules\\. This issue affects MongoDB Compass prior to 1.42.1"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-426",
              "description": "CWE-426: Untrusted Search Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-27T15:24:07.174Z",
        "orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
        "shortName": "mongodb"
      },
      "references": [
        {
          "url": "https://jira.mongodb.org/browse/COMPASS-9058"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "MongoDB Compass may be susceptible to local privilege escalation in Windows",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
    "assignerShortName": "mongodb",
    "cveId": "CVE-2025-1755",
    "datePublished": "2025-02-27T15:24:07.174Z",
    "dateReserved": "2025-02-27T13:02:01.480Z",
    "dateUpdated": "2025-02-27T16:07:45.320Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

FKIE_CVE-2025-1755

CVE-2025-1755 (GCVE-0-2025-1755)

Tags

Sightings

Nomenclature