Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-vxvm-qww3-2fh7

GitHub Security Advisory

MongoDB Driver may publish events containing authentication-related data

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed.

Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default).

This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).

Affected Packages

Packagist mongodb/mongodb
Affected versions: 1.0.0 (fixed in 1.9.2)
npm mongodb
Affected versions: 3.6.0 (fixed in 3.6.10)
npm mongodb
Affected versions: 4.0.0 (fixed in 4.17.0)
npm mongodb
Affected versions: 5.0.0 (fixed in 5.8.0)
SwiftURL github.com/mongodb/mongo-swift-driver
Affected versions: 1.0.0 (fixed in 1.1.1)

Related CVEs

CVE-2021-32050

Key Information

GHSA ID
GHSA-vxvm-qww3-2fh7
Published
August 29, 2023 6:31 PM
Last Modified
February 13, 2025 7:11 PM
CVSS Score
5.0 /10
Primary Ecosystem
Packagist
Primary Package
mongodb/mongodb
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 6, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.