Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
Using @octokit/endpoint with mongosh can expose sensitive data
CLEANSTART-2026-QY24299
Summary
The @octokit/endpoint library can turn REST API endpoints into generic request options, potentially exposing sensitive data. This affects users of the mongosh package, which should be updated to the latest version to prevent potential issues. Users are recommended to review and adjust their code accordingly.
What to do
- Update mongosh to version 2.7.0-r0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | mongosh | <= 2.7.0-r0 | 2.7.0-r0 |
Original title
@octokit/endpoint turns REST API endpoints into generic request options
Original description
Multiple security vulnerabilities affect the mongosh package. @octokit/endpoint turns REST API endpoints into generic request options. See references for individual vulnerability details.
osv CVSS3.1
9.8
- https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advis... Vendor Advisory
- https://osv.dev/vulnerability/CVE-2025-25285 URL
- https://osv.dev/vulnerability/CVE-2026-21637 URL
- https://osv.dev/vulnerability/GHSA-7r86-cg39-jmmj URL
- https://osv.dev/vulnerability/GHSA-fj3w-jwp8-x2g3 URL
- https://osv.dev/vulnerability/GHSA-rmvr-2pp2-xj38 URL
- https://nvd.nist.gov/vuln/detail/CVE-2025-25285 URL
- https://nvd.nist.gov/vuln/detail/CVE-2026-21637 URL
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 9 Mar 2026