ISSUE DESCRIPTION AND IMPACT

We discovered a bug in the Node.js platform’s REPL implementation that can be uncovered through the MongoDB Shell (“mongosh”).

• This issue refers to a defect in the Node.js runtime, from which the MongoDB Shell inherits parts of its REPL interface.
• Using autocomplete on a JavaScript expression can cause parts of the expression to be evaluated, including the side effects caused by evaluating said expression, even if the user never intended to run it.
• This is not a bug in the MongoDB Shell itself and does not affect builds of the MongoDB Shell created and distributed by our official website and/or MongoDB-managed package repositories. It primarily affects users who install it through third-party package managers, in particular Homebrew and npm.

Specifically, autocompletion in the mongosh REPL can execute partial input and, as a consequence, cause potentially destructive side effects, when run under affected Node.js versions. For example, pressing tab in db.collection.deleteMany({}).<tab> will cause db.collection to be emptied.

This issue only occurs in environments in which the Node.js version is controlled by the user or the installer, most notably macOS homebrew installations. Builds of mongosh distributed through https://www.mongodb.com/try/download/shell are not affected.

DIAGNOSIS AND AFFECTED VERSIONS

The following Node.js versions are affected:

• Node.js 24.3.0 through 24.7.0
• Node.js 22.18.0 and above
• Node.js 20.19.5 and above

For Node.js 22.x and 20.x, we do not yet know whether backports for the fix will be made available or not.

mongosh is not affected starting in version 2.5.8. The user needs to use both an affected version of Node.js and of mongosh in order to risk encountering this issue.

A user can verify which version of mongosh and Node.js they are running by executing mongosh --build-info in a terminal session.

A script to detect potentially unintended autocomplete calls with side effects has been added to this ticket as detect-autocomplete-sideffects.js. The script requires mongosh at least 2.4.0, but also detects issues from older mongosh versions.

The script may provide false positives, and may require manual inspection of relevant log files in order to determine whether unintended side effects have occurred as a result of autocompletion.

False negatives can be caused by missing log files. In its default configuration, mongosh only keeps log files for 30 days and up to 100 sessions, whichever is reached first, so it is unable to detect issues from earlier mongosh sessions. Additionally, running the script referenced above in mongosh will create a new log file, potentially causing an older log file to be removed from disk.

REMEDIATION AND WORKAROUNDS

The primary remediation for this issue is to upgrade mongosh and/or Node.js to the latest respective versions, or to start using builds of mongosh distributed via our official website at https://www.mongodb.com/try/download/shell.

OTHER AFFECTED TOOLS

Since this is an issue in the Node.js runtime, other Node.js-based applications may also be affected by this bug.

We have contributed an upstream fix to Node.js at https://github.com/nodejs/node/commit/6cf64af44d368f7874d06092481c9ef2ba1bb025.

—-----------------------------------------------------