MongoDB | Alerts

MongoDB C# Driver may publish events containing authentication-related data to a command listener configured by an application (CVE-2021-20331)

Mon, 24 May 2021 00:00:00 GMT

Specific versions of the MongoDB C# Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as "saslStart", "saslContinue", "isMaster", "createUser", and "updateUser" are executed. Without due care, an application may inadvertently expose this authenticated-related information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C# Driver 2.12 <= 2.12.1.

CVSS Score has been rated as 4.2

Specific cstrings input may not be properly validated in the Go Driver (CVE-2021-20329)

Thu, 10 Jun 2021 00:00:00 GMT

Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers up to (and including) 1.5.0.

CVSS Score has been rated as 6.8

Server log entry spoofing via newline injection (CVE-2021-20333)

Fri, 23 Jul 2021 00:00:00 GMT

Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. This issue affects MongoDB Server v3.6 versions prior to 3.6.20; MongoDB Server v4.0 versions prior to 4.0.21; MongoDB Server v4.2 versions prior to 4.2.10;

CVSS Score has been rated as 5.3

MongoDB Rust Driver may publish events containing authentication-related data to a connection pool event listener configured by an application (CVE-2021-20332)

Mon, 02 Aug 2021 00:00:00 GMT

Specific MongoDB Rust Driver versions can include credentials used by the connection pool to authenticate connections in the monitoring event that is emitted when the pool is created. The user's logging infrastructure could then potentially ingest these events and unexpectedly leak the credentials. Note that such monitoring is not enabled by default.

CVSS Score has been rated as 4.2

User may trigger invariant when allowed to send commands directly to shards (CVE-2021-32037)

Wed, 24 Nov 2021 00:00:00 GMT

An authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent to a shard. Usually, the requests are sent via mongos and special privileges are required in order to know the address of the shards and to log in to the shards of an auth enabled environment.

CVSS Score has been rated as 6.5

Specific replication command with malformed oplog entries can crash secondaries (CVE-2021-20330)

Wed, 15 Dec 2021 00:00:00 GMT

An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.25; MongoDB Server v4.2 versions prior to 4.2.14; MongoDB Server v4.4 versions prior to 4.4.6.

CVSS Score has been rated as 6.5

MongoDB Extension for VS Code may unexpectedly store credentials locally in clear text (CVE-2021-32039)

Thu, 20 Jan 2022 00:00:00 GMT

Users with appropriate file access may be able to access unencrypted user credentials saved by MongoDB Extension for VS Code in a binary file. These credentials may be used by malicious attackers to perform unauthorized actions. This vulnerability affects all MongoDB Extension for VS Code including and prior to version 0.7.0

CVSS Score has been rated as 5.5

Denial of Service and Data Integrity vulnerability in features command (CVE-2021-32036)

Fri, 04 Feb 2022 00:00:00 GMT

An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field collisions.

CVSS Score has been rated as 5.4

Large aggregation pipelines with a specific stage can crash mongod under default configuration (CVE-2021-32040)

Tue, 12 Apr 2022 00:00:00 GMT

It may be possible to have an extremely long aggregation pipeline in conjunction with a specific stage/operator and cause a stack overflow due to the size of the stack frames used by that stage. If an attacker could cause such an aggregation to occur, they could maliciously crash MongoDB in a DoS attack. This vulnerability affects MongoDB versions prior to 5.0.4, 4.4.11, 4.2.16.

CVSS Score has been rated as 6.5

MongoDB Server (mongod) may crash in response to unexpected requests (CVE-2022-24272)

Wed, 11 May 2022 00:00:00 GMT

An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database. This may result in mongod denial of service or server crash. This issue affects: MongoDB Inc. MongoDB Server v5.0 versions, prior to and including v5.0.6.

CVSS Score has been rated as 6.5

MongoDB Ops Manager may disclose sensitive information in Diagnostic Archive (CVE-2023-0342)

Fri, 09 Jun 2023 11:00:00 GMT

MongoDB Ops Manager Diagnostics Archive may not redact sensitive PEM key file password app settings. Archives do not include the PEM files themselves. This issue affects MongoDB Ops Manager v5.0 prior to 5.0.21 and MongoDB Ops Manager v6.0 prior to 6.0.12

CVSS Score has been rated as 3.1

Deserializing compromised object with MongoDB .NET/C# Driver may cause remote code execution (CVE-2022-48282)

Tue, 21 Feb 2023 19:39:00 GMT

Under very specific circumstances (see Required configuration section below), a privileged user is able to cause arbitrary code to be executed which may cause further disruption to services. This is specific to applications written in C#. This affects all MongoDB .NET/C# Driver versions prior to and including v2.18.0Following configuration must be true for the vulnerability to be applicable: * Application must written in C# taking arbitrary data from users and serializing data using _t without any validation AND * Application must be running on a Windows host using the full .NET Framework, not .NET Core AND * Application must have domain model class with a property/field explicitly of type System.Object or a collection of type System.Object (against MongoDB best practice) AND * Malicious attacker must have unrestricted insert access to target database to add a _t discriminator."Following configuration must be true for the vulnerability to be applicable

CVSS Score has been rated as 6.6

Privilege Escalation for Project Owner and Project User Admin Roles in Ops Manager (CVE-2023-4009)

Tue, 08 Aug 2023 10:30:00 GMT

In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation.

CVSS Score has been rated as 7.2

Kubernetes Operator generates potentially insecure certificates (CVE-2020-7922)

Thu, 09 Apr 2020 00:00:00 GMT

X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their X.509 certificates are unaffected. This issue affects: MongoDB Inc. MongoDB Enterprise Kubernetes Operator version 1.0, 1.1, 1.2 versions prior to 1.2.4, 1.3 versions prior to 1.3.1, 1.2, 1.4 versions prior to 1.4.4.

CVSS Score has been rated as 6.4

Secret logging may occur in debug mode of Atlas Operator (CVE-2023-0436)

Tue, 07 Nov 2023 12:41:00 GMT

The affected versions of MongoDB Atlas Kubernetes Operator may print sensitive information like GCP service account keys and API integration secrets while DEBUG mode logging is enabled. This issue affects MongoDB Atlas Kubernetes Operator versions: 1.5.0, 1.6.0, 1.6.1, 1.7.0.Please note that this is reported on an EOL version of the product, and users are advised to upgrade to the latest supported version.Required Configuration:DEBUG logging is not enabled by default, and must be configured by the end-user. To check the log-level of the Operator, review the flags passed in your deployment configuration (eg. https://github.com/mongodb/mongodb-atlas-kubernetes/blob/main/config/manager/manager.yaml#L27 https://github.com/mongodb/mongodb-atlas-kubernetes/blob/main/config/manager/manager.yaml#L27 )

CVSS Score has been rated as 4.5

MongoDB client C Driver may infinitely loop when validating certain BSON input data (CVE-2023-0437)

Fri, 12 Jan 2024 14:13:00 GMT

When calling bson_utf8_validateon some inputs a loop with an exit condition that cannot be reached may occur, i.e. an infinite loop. This issue affects All MongoDB C Driver versions prior to versions 1.25.0.

CVSS Score has been rated as 5.3

MongoDB Server may allow successful untrusted connection (CVE-2024-1351)

Thu, 07 Mar 2024 09:31:00 GMT

Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been closed due to failing certificate validation. This issue affects MongoDB Server v7.0 versions prior to and including 7.0.5, MongoDB Server v6.0 versions prior to and including 6.0.13, MongoDB Server v5.0 versions prior to and including 5.0.24 and MongoDB Server v4.4 versions prior to and including 4.4.28.Required Configuration : A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured.

CVSS Score has been rated as 8.8

Some MongoDB Drivers may publish events containing authentication-related data to a command listener configured by an application (CVE-2021-32050)

Tue, 29 Aug 2023 15:24:30 GMT

Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed.Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default).This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).

CVSS Score has been rated as 4.2

Insufficient validation of external input in Compass may enable MITM attacks (CVE-2024-3371)

Wed, 24 Apr 2024 16:32:07 GMT

MongoDB Compass may accept and use insufficiently validated input from an untrusted external source. This may cause unintended application behavior, including data disclosure and enabling attackers to impersonate users. This issue affects MongoDB Compass versions 1.35.0 to 1.42.0.

CVSS Score has been rated as 7.1

MongoDB Server (mongod) may crash when generating ftdc (CVE-2024-3374)

Tue, 14 May 2024 13:26:42 GMT

An unauthenticated user can trigger a fatal assertion in the server while generating ftdc diagnostic metrics due to attempting to build a BSON object that exceeds certain memory sizes. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.16 and MongoDB Server v6.0 versions prior to and including 6.0.5.

CVSS Score has been rated as 5.3

MongoDB Server may have unexpected application behaviour due to invalid BSON (CVE-2024-3372)

Tue, 14 May 2024 13:24:05 GMT

Improper validation of certain metadata input may result in the server not correctly serialising BSON. This can be performed pre-authentication and may cause unexpected application behavior including unavailability of serverStatus responses. This issue affects MongoDB Server v7.0 versions prior to 7.0.6, MongoDB Server v6.0 versions prior to 6.0.14 and MongoDB Server v.5.0 versions prior to 5.0.25.

CVSS Score has been rated as 7.5

Out-of-bounds read in bson module of PyMongo (CVE-2024-5629)

Wed, 05 Jun 2024 14:32:56 GMT

An out-of-bounds read in the 'bson' module of PyMongo 4.6.2 or earlier allows deserialization of malformed BSON provided by a Server to raise an exception which may contain arbitrary application memory.

CVSS Score has been rated as 4.7

ejson shell parser in MongoDB Compass maybe bypassed (CVE-2024-6376)

Mon, 01 Jul 2024 14:57:31 GMT

MongoDB Compass may be susceptible to code injection due to insufficient sandbox protection settings with the usage of ejson shell parser in Compass' connection handling. This issue affects MongoDB Compass versions prior to version 1.42.2

CVSS Score has been rated as 7

Missing authorization check may lead to shard key refinement (CVE-2024-6375)

Mon, 01 Jul 2024 14:40:32 GMT

A command for refining a collection shard key is missing an authorization check. This may cause the command to run directly on a shard, leading to either degradation of query performance, or to revealing chunk boundaries through timing side channels. This affects MongoDB Server v5.0 versions, prior to 5.0.22, MongoDB Server v6.0 versions, prior to 6.0.11 and MongoDB Server v7.0 versions prior to 7.0.3.

CVSS Score has been rated as 5.4

MongoDB C Driver bson_strfreev may be susceptible to integer overflow (CVE-2024-6381)

Tue, 02 Jul 2024 17:14:48 GMT

The bson_strfreev function in the MongoDB C driver library may be susceptible to an integer overflow where the function will try to free memory at a negative offset. This may result in memory corruption. This issue affected libbson versions prior to 1.26.2

CVSS Score has been rated as 4

Adversarial unsanitized input may cause MongoDB Rust Driver to issue unintended commands. (CVE-2024-6382)

Tue, 02 Jul 2024 17:17:50 GMT

Incorrect handling of certain string inputs may result in MongoDB Rust driver constructing unintended server commands. This may cause unexpected application behavior including data modification. This issue affects MongoDB Rust Driver 2.0 versions prior to 2.8.2

CVSS Score has been rated as 6.4

MongoDB C Driver bson_string_append may be vulnerable to a buffer overflow (CVE-2024-6383)

Wed, 03 Jul 2024 21:33:47 GMT

The bson_string_append function in MongoDB C Driver may be vulnerable to a buffer overflow where the function might attempt to allocate too small of buffer and may lead to memory corruption of neighbouring heap memory. This issue affects libbson versions prior to 1.27.1

CVSS Score has been rated as 5.3

Certificate validation issue in MongoDB Server running on Windows or macOS (CVE-2023-1409)

Wed, 23 Aug 2023 16:18:00 GMT

If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is possible that client certificate validation may not be in effect, potentially allowing client to establish a TLS connection with the server that supplies any certificate.This issue affect all MongoDB Server v6.3 versions, MongoDB Server v5.0 versions v5.0.0 to v5.0.14 and all MongoDB Server v4.4 versions.

CVSS Score has been rated as 5.3

Administrative action may disable enforcement of per-user IP whitelisting (CVE-2020-7921)

Wed, 06 May 2020 11:00:00 GMT

Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects: MongoDB Inc. MongoDB Server 4.2 versions prior to 4.2.3; 4.0 versions prior to 4.0.15; 4.3 versions prior to 4.3.3; 3.6 versions prior to 3.6.18.

CVSS Score has been rated as 4.6

Process termination via PID file manipulation (CVE-2019-2389)

Fri, 30 Aug 2019 11:00:00 GMT

Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.11; v3.6 versions prior to 3.6.14; v3.4 versions prior to 3.4.22.

CVSS Score has been rated as 5.3

Potential exposure of log information in Ops Manager (CVE-2019-2388)

Wed, 13 May 2020 11:00:00 GMT

In affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance. This issue affects: MongoDB Inc. MongoDB Ops Manager 4.0 versions 4.0.9, 4.0.10 and MongoDB Ops Manager 4.1 version 4.1.5.

CVSS Score has been rated as 5.8

JS-bson may incorrectly serialise some requests (CVE-2019-2391)

Tue, 31 Mar 2020 11:00:00 GMT

Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure. This issue affects: MongoDB Inc. js-bson library version 1.1.3 and prior to.

CVSS Score has been rated as 4.2

Authorization session conflation (CVE-2019-2386)

Tue, 06 Aug 2019 11:00:00 GMT

After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.9; v3.6 versions prior to 3.6.13; v3.4 versions prior to 3.4.22.

CVSS Score has been rated as 7.1

Code execution on Windows via OpenSSL engine injection (CVE-2019-2390)

Fri, 30 Aug 2019 11:00:00 GMT

An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server to run attacker defined code as the user running the utility. This issue affects: MongoDB Inc. MongoDB Server 4.0 prior to 4.0.11; 3.6 prior to 3.6.14; 3.4 prior to 3.4.22.

CVSS Score has been rated as 8.2

Specific GeoQuery can cause DoS against MongoDB Server (CVE-2020-7923)

Fri, 21 Aug 2020 00:00:00 GMT

A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem's support for geoNear. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.0-rc7; v4.2 versions prior to 4.2.8; v4.0 versions prior to 4.0.19.

CVSS Score has been rated as 6.5

Denial of Service when processing malformed Role names (CVE-2020-7925)

Mon, 30 Nov 2020 00:00:00 GMT

Incorrect validation of user input in the role name parser may lead to use of uninitialized memory allowing an unauthenticated attacker to use a specially crafted request to cause a denial of service. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.0-rc12; v4.2 versions prior to 4.2.9.

CVSS Score has been rated as 7.5

Specific query can cause a DoS against MongoDB Server (CVE-2020-7926)

Mon, 30 Nov 2020 00:00:00 GMT

A user authorized to perform database queries may cause denial of service by issuing a specially crafted query which violates an invariant in the server selection subsystem. This issue affects: MongoDB Server version 4.4 prior to 4.4.1. Versions before 4.4 are not affected.

CVSS Score has been rated as 6.5

Potential privilege escalation in Ops Manager API (CVE-2020-7927)

Mon, 30 Nov 2020 00:00:00 GMT

Specially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege. This issue affects MongoDB Ops Manager v4.2 versions 4.2.0-4.2.17, v4.3 versions 4.3.0-4.3.9 and v4.4 versions 4.4.0-4.4.2.

CVSS Score has been rated as 8.1

$mod can result in UB (CVE-2019-2392)

Mon, 30 Nov 2020 00:00:00 GMT

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use the $mod operator to overflow negative values. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prior to 4.0.20; v3.6 versions prior to 3.6.20.

CVSS Score has been rated as 6.5

Crash while joining collections with $lookup (CVE-2019-2393)

Mon, 30 Nov 2020 00:00:00 GMT

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use $lookup and collations. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.1; v4.0 versions prior to 4.0.13; v3.6 versions prior to 3.6.15.

CVSS Score has been rated as 6.5

Crash while handling internal Javascript exception types (CVE-2019-20923)

Mon, 30 Nov 2020 00:00:00 GMT

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which throw unhandled Javascript exceptions containing types intended to be scoped to the Javascript engine's internals. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.7.

CVSS Score has been rated as 6.5

Specially crafted query may result in a denial of service of mongod (CVE-2021-20326)

Fri, 30 Apr 2021 00:00:00 GMT

A user authorized to performing a specific type of find query may trigger a denial of service. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.4.

CVSS Score has been rated as 6.5

Improper neutralization of null byte leads to read overrun (CVE-2020-7928)

Mon, 23 Nov 2020 00:00:00 GMT

A user authorized to perform database queries may trigger a read overrun and access arbitrary memory by issuing specially crafted queries. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prior to 4.0.20; v3.6 versions prior to 3.6.20.

CVSS Score has been rated as 6.5

Post-auth queries on compound index may crash mongod (CVE-2018-20802)

Mon, 30 Nov 2020 00:00:00 GMT

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting QueryPlanner. This issue affects: MongoDB Inc. MongoDB Server v3.6 versions prior to 3.6.9, v4.0 versions prior to 4.0.3.

CVSS Score has been rated as 6.5

Invariant failure in applyOps (CVE-2018-20804)

Mon, 30 Nov 2020 00:00:00 GMT

A user authorized to perform database queries may trigger denial of service by issuing specially crafted applyOps invocations. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.10; v3.6 versions prior to 3.6.13.

CVSS Score has been rated as 6.5

Invariant with $elemMatch (CVE-2018-20805)

Mon, 30 Nov 2020 00:00:00 GMT

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which perform an $elemMatch This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.5; v3.6 versions prior to 3.6.10. This issue affects: MongoDB Inc. MongoDB Server 3.6 versions prior to 3.6.10; 4.0 versions prior to 4.0.5.

CVSS Score has been rated as 6.5

Denial of service via malformed network packet (CVE-2019-20925)

Tue, 24 Nov 2020 00:00:00 GMT

An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.1; v4.0 versions prior to 4.0.13; v3.6 versions prior to 3.6.15; v3.4 versions prior to 3.4.24.

CVSS Score has been rated as 7.5

Infinite loop in aggregation expression (CVE-2018-20803)

Mon, 23 Nov 2020 00:00:00 GMT

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which loop indefinitely in mathematics processing while retaining locks. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.5; v3.6 versions prior to 3.6.10; v3.4 versions prior to 3.4.19.

CVSS Score has been rated as 6.5

SSL may be unexpectedly disabled during upgrade of multiple-server MongoDB Ops Manager (CVE-2021-20335)

Thu, 11 Feb 2021 00:00:00 GMT

For MongoDB Ops Manager <= 4.2.24 with multiple OM application servers, that have SSL turned on for their MongoDB processes, the upgrade to MongoDB Ops Manager <= 4.4.12 triggers a bug where Automation thinks SSL is being turned off, and can disable SSL temporarily for members of the cluster. This issue is temporary and eventually corrects itself after MongoDB Ops Manager instances have finished upgrading to MongoDB Ops Manager 4.4. In addition, customers must be running with clientCertificateMode=OPTIONAL / allowConnectionsWithoutCertificates=true to be impacted*.* Customers upgrading from Ops Manager 4.2.X to 4.2.24 and finally to Ops Manager 4.4.13+ are unaffected by this issue.

CVSS Score has been rated as 6.7

MongoDB Node.js client side field level encryption library may not be validating KMS certificate (CVE-2021-20327)

Thu, 25 Feb 2021 00:00:00 GMT

A specific version of the Node.js mongodb-client-encryption module does not perform correct validation of the KMS servers certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Node.js driver and the KMS service rendering client-side field level encryption (CSFLE) ineffective. This issue was discovered during internal testing and affects mongodb-client-encryption module version 1.2.0, which was available from 2021-Jan-29 and deprecated in the NPM Registry on 2021-Feb-04. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services from applications residing inside the AWS, GCP, and Azure nework fabrics due to compensating controls in these environments. This issue does not impact driver workloads that dont use Field Level Encryption.

CVSS Score has been rated as 6.4

MongoDB Java driver client-side field level encryption not verifying KMS host name (CVE-2021-20328)

Thu, 25 Feb 2021 00:00:00 GMT

Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS servers certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. This issue does not impact driver workloads that dont use Field Level Encryption.

CVSS Score has been rated as 6.4

Specially crafted regex query can cause DoS (CVE-2020-7929)

Fri, 26 Feb 2021 00:00:00 GMT

A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects: MongoDB Inc. MongoDB Server v3.6 versions prior to 3.6.21 and MongoDB Server v4.0 versions prior to 4.0.20.

CVSS Score has been rated as 6.5

Invariant failure when explaining a find with a UUID (CVE-2018-25004)

Fri, 26 Feb 2021 00:00:00 GMT

A user authorized to performing a specific type of query may trigger a denial of service by issuing a generic explain command on a find query. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.6; MongoDB Server v3.6 versions prior to 3.6.11.

CVSS Score has been rated as 4.9

Local privilege escalation in MongoDB Compass for Windows (CVE-2021-20334)

Tue, 06 Apr 2021 00:00:00 GMT

A malicious 3rd party with local access to the Windows machine where MongoDB Compass is installed can execute arbitrary software with the privileges of the user who is running MongoDB Compass. This issue affects: MongoDB Inc. MongoDB Compass 1.x version 1.3.0 on Windows and later versions; 1.x versions prior to 1.25.0 on Windows.

CVSS Score has been rated as 4.8

Specific command line parameter might result in accepting invalid certificate (CVE-2020-7924)

Mon, 12 Apr 2021 00:00:00 GMT

Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates.This issue affects: MongoDB Inc. MongoDB Database Tools 3.6 versions later than 3.6.5; 3.6 versions prior to 3.6.21; 4.0 versions prior to 4.0.21; 4.2 versions prior to 4.2.11; 100 versions prior to 100.2.0. MongoDB Inc. Mongomirror 0 versions later than 0.6.0.

CVSS Score has been rated as 4.2

Invariant in IndexBoundsBuilder (CVE-2019-20924)

Tue, 01 Dec 2020 00:00:00 GMT

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries which trigger an invariant in the IndexBoundsBuilder. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.2.

CVSS Score has been rated as 6.5

MongoDB Connector for BI installation MSI leave ACLs unset on custom installation directories (CVE-2025-11535)

Wed, 08 Oct 2025 22:07:18 GMT

MongoDB Connector for BI installation viaMSIon Windows leaves ACLs unset on custom install directories allows Privilege Escalation.This issue affects MongoDB Connector for BI: from 2.0.0 through 2.14.24.

CVSS Score has been rated as

Configuration may unexpectedly disable certificate validation (CVE-2025-11695)

Mon, 13 Oct 2025 16:22:57 GMT

When tlsInsecure=False appears in a connection string, certificate validation is disabled.This vulnerability affects MongoDB Rust Driver versions prior to v3.2.5

CVSS Score has been rated as 8

Use-after-free in the MongoDB server query planner may lead to crash or undefined behavior (CVE-2025-11979)

Mon, 20 Oct 2025 17:47:57 GMT

An authorized user may crash the MongoDB server by causing buffer over-read. This can be done by issuing a DDL operation while queries are being issued, under some conditions. This issue affects MongoDB Server v7.0 versions prior to 7.0.25, MongoDB Server v8.0 versions prior to 8.0.15, and MongoDB Server version 8.2.0.

CVSS Score has been rated as 5.3

MongoDB Atlas SQL ODBC driver installation via MSI may leave ACLs unset on custom installation directories (CVE-2025-11575)

Thu, 23 Oct 2025 00:22:00 GMT

Incorrect Default Permissions vulnerability in MongoDB Atlas SQL ODBC driver on Windows allows Privilege Escalation.This issue affects MongoDB Atlas SQL ODBC driver: from 1.0.0 through 2.0.0.

CVSS Score has been rated as

MongoDB BI Connector ODBC driver installation via MSI may leave ACLs unset on custom installation directories (CVE-2025-12100)

Thu, 23 Oct 2025 21:02:18 GMT

Incorrect Default Permissions vulnerability in MongoDB BI Connector ODBC driver allows Privilege Escalation.This issue affects BI Connector ODBC driver: from 1.0.0 through 1.4.6.

CVSS Score has been rated as

Malformed KMIP response may result in access violation (CVE-2025-12657)

Mon, 03 Nov 2025 21:03:25 GMT

The KMIP response parser built into mongo binaries is overly tolerant of certain malformed packets, and may parse them into invalid objects. Later reads of this object can result in read access violations.

CVSS Score has been rated as

Bulk write with options may read invalid memory (CVE-2025-12119)

Tue, 18 Nov 2025 20:21:08 GMT

A mongoc_bulk_operation_t may read invalid memory if large options are passed.

CVSS Score has been rated as

Time-series operations may cause internal BSON size limit to be exceed (CVE-2025-13507)

Tue, 25 Nov 2025 04:52:47 GMT

Inconsistent object size validation in time series processing logic may result in later processing of oversized BSON documents leading to an assert failing and process termination. This issue impacts MongoDB Server v7.0 versions prior to 7.0.26, v8.0 versions prior to 8.0.16 and MongoDB server v8.2 versions prior to 8.2.1.

CVSS Score has been rated as 7.1

Improper Certificate Validation May Allow Successful TLS Handshaking Despite Invalid Extended Key Usage Fields in MongoDB Server (CVE-2025-12893)

Tue, 25 Nov 2025 05:07:17 GMT

Clients may successfully perform a TLS handshake with a MongoDB server despite presenting a client certificate not aligning with the documented Extended Key Usage (EKU) requirements. A certificate that specifies extendedKeyUsage but is missing extendedKeyUsage = clientAuth may still be successfully authenticated via the TLS handshake as a client. This issue is specific to MongoDB servers running on Windows or Apple as the expected validation behavior functions correctly on Linux systems.Additionally, MongoDB servers may successfully establish egress TLS connections with servers that present server certificates not aligning with the documented Extended Key Usage (EKU) requirements. A certificate that specifies extendedKeyUsage but is missing extendedKeyUsage = serverAuth may still be successfully authenticated via the TLS handshake as a server. This issue is specific to MongoDB servers running on Apple as the expected validation behavior functions correctly on both Linux and Windows systems. This vulnerability affects MongoDB Server v7.0 versions prior to 7.0.26, MongoDB Server v8.0 versions prior to 8.0.16 and MongoDB Server v8.2 versions prior to 8.2.2

CVSS Score has been rated as 4.2

MongoDB Server may allow queries to be terminated by unauthorized users (CVE-2025-13643)

Tue, 25 Nov 2025 05:16:24 GMT

A user with access to the cluster with a limited set of privilege actions may be able to terminate queries that are being executed by other users. This may cause a denial of service by preventing a fraction of queries from successfully completing. This issue affects MongoDB Server v7.0 versions prior to 7.0.26 and MongoDB Server v8.0 versions prior to 8.0.14

CVSS Score has been rated as 3.1

MongoDB may be susceptible to Invariant Failure due to batched delete (CVE-2025-13644)

Tue, 25 Nov 2025 05:23:12 GMT

MongoDB Server may experience an invariant failure during batched delete operations when handling documents. The issue arises when the server mistakenly assumes the presence of multiple documents in a batch based solely on document size exceeding BSONObjMaxSize. This issue affects MongoDB Server v7.0 versions prior to 7.0.26, MongoDB Server v8.0 versions prior to 8.0.13, and MongoDB Server v8.1 versions prior to 8.1.2

CVSS Score has been rated as 6.5

Cross-Shard Failovers May Lead to Partial Transaction Commit in MongoDB Server (CVE-2025-14345)

Tue, 09 Dec 2025 15:00:38 GMT

A post-authenticationflaw in the network two-phase commit protocol used for cross-shard transactions in MongoDB Server may lead to logical data inconsistencies under specific conditions which are not predictable and exist for a very short period of time. This error can cause the transaction coordination logic to misinterpret the transaction as committed, resulting in inconsistent state on those shards. This may lead to low integrity and availability impact.This issue impacts MongoDB Server v8.0 versions prior to 8.0.16, MongoDB Server v7.0 versions prior to 7.0.26 and MongoDB server v8.2 versions prior to 8.2.2.

CVSS Score has been rated as 4.2

Zlib compressed protocol header length confusion may allow memory read (CVE-2025-14847)

Fri, 19 Dec 2025 11:00:22 GMT

Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.

CVSS Score has been rated as 8.7

Accessing Untrusted Directory May Allow Local Privilege Escalation (CVE-2024-7553)

Wed, 07 Aug 2024 09:57:49 GMT

Incorrect validation of files loaded from a local untrusted directory may allow local privilege escalation if the underlying operating systems is Windows. This may result in the application executing arbitrary behaviour determined by the contents of untrusted files. This issue affects MongoDB Server v5.0 versions prior to 5.0.27, MongoDB Server v6.0 versions prior to 6.0.16, MongoDB Server v7.0 versions prior to 7.0.12, MongoDB Server v7.3 versions prior 7.3.3, MongoDB C Driver versions prior to 1.26.2 and MongoDB PHP Driver versions prior to 1.18.1.Required Configuration:Only environments with Windows as the underlying operating system is affected by this issue

CVSS Score has been rated as 7.3

Unsafe Reflection in Mongoid::Criteria.from_hash (CVE-2026-2302)

Tue, 10 Feb 2026 18:59:23 GMT

Under specific conditions when processing a maliciously crafted value of type Hash r, Mongoid::Criteria.from_hash may allow for executing arbitrary Ruby code.

CVSS Score has been rated as 6.9

Pre-Authentication Memory Exhaustion Denial of Service in MongoDB Server (CVE-2026-25611)

Tue, 10 Feb 2026 17:52:47 GMT

A series of specifically crafted, unauthenticated messages can exhaust available memory and crash a MongoDB server.

CVSS Score has been rated as 8.7

Internal ResourceId collision may affect unrelated collections (CVE-2026-25612)

Tue, 10 Feb 2026 18:05:23 GMT

The internal locking mechanism of the MongoDB server uses an internal encoding of the resources in order to choose what lock to take. Collections may inadvertently collide with one another in this representation causing unavailability between them due to conflicting locks.

CVSS Score has been rated as 7.1

An unsafe cast in the MongoDB query planner can result in a segmentation fault. (CVE-2026-25613)

Tue, 10 Feb 2026 18:54:50 GMT

An authorized user may disable the MongoDB server by issuing a query against a collection that contains an invalid compound wildcard index.

CVSS Score has been rated as 7.1

profile command may permit unauthorized configuration (CVE-2026-25609)

Tue, 10 Feb 2026 18:39:11 GMT

Incorrect validation of the profile command may result in the determination that a request altering the 'filter' is read-only.

CVSS Score has been rated as 5.3

Invalid $geoNear index hint may cause server crash (CVE-2026-25610)

Tue, 10 Feb 2026 18:30:40 GMT

An authorized user may trigger a server crash by running a $geoNear pipeline with certain invalid index hints.

CVSS Score has been rated as 7.1

An authorized user may disable the MongoDB server by issuing a certain type of complex query due to boolean expression simplification (CVE-2026-1850)

Tue, 10 Feb 2026 18:49:32 GMT

Complex queries can cause excessive memory usage in MongoDB Query Planner resulting in an Out-Of-Memory Crash.

CVSS Score has been rated as 7.1

Mongod can run out of stack memory when expressions create deeply nested documents (CVE-2026-1849)

Tue, 10 Feb 2026 18:52:52 GMT

MongoDB Server may experience an out-of-memory failure while evaluating expressions that produce deeply nested documents. The issue arises in recursive functions because the server does not periodically check the depth of the expression.

CVSS Score has been rated as 7.1

Connections received from the proxy port may not count towards total accepted connections (CVE-2026-1848)

Tue, 10 Feb 2026 18:22:41 GMT

Connections received from the proxy port may not count towards total accepted connections, resulting in server crashes if the total number of connections exceeds available resources. This only applies to connections accepted from the proxy port, pending the proxy protocol header.

CVSS Score has been rated as 8.2

MongoDB Server may crash when inserting large documents (CVE-2026-1847)

Tue, 10 Feb 2026 18:16:24 GMT

Inserting certain large documents into a replica set could lead to replica set secondaries not being able to fetch the oplog from the primary. This could stall replication inside the replica set leading to server crash.

CVSS Score has been rated as 7.1

Integer Overflow in GridFS chunkSize Leading to Heap Allocation Failure (CVE-2025-14911)

Tue, 27 Jan 2026 17:29:21 GMT

User-controlled chunkSize metadata from MongoDB lacks appropriate validation allowing malformed GridFS metadata to overflow the bounding container.

CVSS Score has been rated as 7.1

Stack memory disclosure in filemd5 command (CVE-2026-4147)

Tue, 17 Mar 2026 15:50:21 GMT

An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command.

CVSS Score has been rated as 7.1

ExpressionContext use-after-free in classic engine $lookup and $graphLookup aggregation operators (CVE-2026-4148)

Tue, 17 Mar 2026 15:53:57 GMT

A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline.

CVSS Score has been rated as 8.7

Heap Out-of-Bounds Read in Go Driver GSSAPI C Wrappers enables application crash or information leak (CVE-2026-2303)

Tue, 10 Feb 2026 19:03:06 GMT

The mongo-go-driver repositorycontains CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS. The C wrapper implementation contains a heap out-of-bounds read vulnerability due to incorrect assumptions about string termination in the GSSAPI standard. Since GSSAPI buffers are not guaranteed to be null-terminated or have extra padding, this results in reading one byte past the allocated heap buffer.

CVSS Score has been rated as 6.9

Backup files may be downloaded by underprivileged users in MongoDB Enterprise Server (CVE-2024-6384)

Tue, 13 Aug 2024 14:22:22 GMT

"Hot" backup files may be downloaded by underprivileged users, if they are capable of acquiring a unique backup identifier. This issue affects MongoDB Enterprise Server v6.0 versions prior to 6.0.16, MongoDB Enterprise Server v7.0 versions prior to 7.0.11 and MongoDB Enterprise Server v7.3 versions prior to 7.3.3

CVSS Score has been rated as 5.3

MongoDB Server binaries may load potentially insecure shared libraries from specific relative paths (CVE-2024-8207)

Tue, 27 Aug 2024 11:28:06 GMT

In certain highly specific configurations of the host system and MongoDB server binary installation on Linux Operating Systems, it may be possible for a unintended actor with host-level access to cause the MongoDB Server binary to load unintended actor-controlled shared libraries when the server binary is started, potentially resulting in the unintended actor gaining full control over the MongoDB server process. This issue affects MongoDB Server v5.0 versions prior to 5.0.14 and MongoDB Server v6.0 versions prior to 6.0.3.Required Configuration: Only environments with Linux as the underlying operating system is affected by this issue

CVSS Score has been rated as 6.4

MongoDB Server may access non-initialized region of memory leading to unexpected behaviour (CVE-2024-8654)

Tue, 10 Sep 2024 13:35:50 GMT

MongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero arguments are called in internal aggregation stage. This issue affected MongoDB Server v6.0 version 6.0.3.

CVSS Score has been rated as 5

MongoDB Server secondaries may crash due to forced index constraints (CVE-2024-8305)

Mon, 21 Oct 2024 14:10:31 GMT

prepareUnique index may cause secondaries to crash due to incorrect enforcement of index constraints on secondaries, where in extreme cases may cause multiple secondaries crashing leading to no primaries. This issue affects MongoDB Server v6.0 versions prior to 6.0.17, MongoDB Server v7.0 versions prior to 7.0.13 and MongoDB Server v7.3 versions prior to 7.3.4

CVSS Score has been rated as 6.5

CSFLE and Queryable Encryption self-lookup may fail to encrypt values in subpipelines (CVE-2024-8013)

Mon, 28 Oct 2024 12:58:05 GMT

A bug in query analysis of certain complex self-referential $lookup subpipelines may result in literal values in expressions for encrypted fields to be sent to the server as plaintext instead of ciphertext. Should this occur, no documents would be returned or written. This issue affects mongocryptd binary (v5.0 versions prior to 5.0.29, v6.0 versions prior to 6.0.17, v7.0 versions prior to 7.0.12 and v7.3 versions prior to 7.3.4) and mongo_crypt_v1.so shared libraries (v6.0 versions prior to 6.0.17, v7.0 versions prior to 7.0.12 and v7.3 versions prior to 7.3.4) released alongside MongoDB Enterprise Server versions.

CVSS Score has been rated as 2.2

Improper neutralization of null bytes may lead to buffer over-reads in MongoDB Server (CVE-2024-10921)

Thu, 14 Nov 2024 16:04:04 GMT

An authorized user may trigger crashes or receive the contents of buffer over-reads of Server memory by issuing specially crafted requests that construct malformed BSON in the MongoDB Server. This issue affects MongoDB Server v5.0 versions prior to 5.0.30 , MongoDB Server v6.0 versions prior to 6.0.19, MongoDB Server v7.0 versions prior to 7.0.15 and MongoDB Server v8.0 versions prior to and including 8.0.2.

CVSS Score has been rated as 6.8

MongoDB Shell may be susceptible to Control Character Injection via autocomplete (CVE-2025-1691)

Thu, 27 Feb 2025 12:34:02 GMT

The MongoDB Shell may be susceptible to control character injection where an attacker with control of the mongosh autocomplete feature, can use the autocompletion feature to input and run obfuscated malicious text. This requires user interaction in the form of the user using tab to autocomplete text that is a prefix of the attackers prepared autocompletion. This issue affects mongosh versions prior to2.3.9.The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.

CVSS Score has been rated as 7.6

MongoDB Shell may be susceptible to control character injection via pasting (CVE-2025-1692)

Thu, 27 Feb 2025 12:37:00 GMT

The MongoDB Shell may be susceptible to control character injection where an attacker with control of the users clipboard could manipulate them to paste text into mongosh that evaluates arbitrary code. Control characters in the pasted text can be used to obfuscate malicious code. This issue affects mongosh versions prior to 2.3.9

CVSS Score has been rated as 6.3

MongoDB Shell may be susceptible to control character Injection via shell output (CVE-2025-1693)

Thu, 27 Feb 2025 12:39:37 GMT

The MongoDB Shell may be susceptible to control character injection where an attacker with control over the database cluster contents can inject control characters into the shell output. This may result in the display of falsified messages that appear to originate from mongosh or the underlying operating system, potentially misleading users into executing unsafe actions.The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.This issue affects mongosh versions prior to 2.3.9

CVSS Score has been rated as 3.9

MongoDB Compass may be susceptible to local privilege escalation in Windows (CVE-2025-1755)

Thu, 27 Feb 2025 15:24:07 GMT

MongoDB Compass may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user's system with elevated privileges, when a crafted file is stored in C:\node_modules. This issue affects MongoDB Compass prior to 1.42.1

CVSS Score has been rated as 7.5

MongoDB Shell may be susceptible to local privilege escalation in Windows (CVE-2025-1756)

Thu, 27 Feb 2025 15:28:11 GMT

mongosh may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user's system with elevated privilege, when a crafted file is stored in C:\node_modules. This issue affects mongosh prior to 2.3.0

CVSS Score has been rated as 7.5

MongoDB C Driver bson library may be susceptible to buffer overflow (CVE-2025-0755)

Tue, 18 Mar 2025 09:01:04 GMT

The various bson_appendfunctions in the MongoDB C driver library may be susceptible to buffer overflow when performing operations that could result in a final BSON document which exceeds the maximum allowable size (INT32_MAX), resulting in a segmentation fault and possible application crash. This issue affected libbson versions prior to 1.27.5, MongoDB Server v8.0 versions prior to 8.0.1 and MongoDB Server v7.0 versions prior to 7.0.16

CVSS Score has been rated as 8.4

Malformed MongoDB wire protocol messages may cause mongos to crash (CVE-2025-3083)

Tue, 01 Apr 2025 11:12:31 GMT

Specifically crafted MongoDB wire protocol messages can cause mongos to crash during command validation. This can occur without using an authenticated connection. This issue affects MongoDB v5.0 versions prior to 5.0.31, MongoDB v6.0 versions prior to6.0.20 and MongoDB v7.0 versions prior to 7.0.16

CVSS Score has been rated as 7.5

MongoDB Windows installation MSI may leave ACLs unset on custom installation directories (CVE-2025-10491)

Mon, 15 Sep 2025 16:04:54 GMT

The MongoDB Windows installation MSI may leave ACLs unset on custom installation directories allowing a local attacker to introduce executable code to MongoDB's process via DLL hijacking. This issue affects MongoDB Server v6.0 version prior to 6.0.25, MongoDB Server v7.0 version prior to 7.0.21 and MongoDB Server v8.0 version prior to 8.0.5

CVSS Score has been rated as 7.8

MongoDB Server may crash due to improper validation of explain command (CVE-2025-3084)

Tue, 01 Apr 2025 11:14:19 GMT

When run on commands with certain arguments set, explain may fail to validate these arguments before using them. This can lead to crashes in router servers. This affects MongoDB Server v5.0 prior to 5.0.31, MongoDB Server v6.0 prior to 6.0.20, MongoDB Server v7.0 prior to 7.0.16 and MongoDB Server v8.0 prior to 8.0.4

CVSS Score has been rated as 6.5

MongoDB Server running on Linux may allow unexpected connections where intermediate certificates are revoked (CVE-2025-3085)

Tue, 01 Apr 2025 12:05:05 GMT

A MongoDB server under specific conditions running on Linux with TLS and CRL revocation status checking enabled, fails to check the revocation status of the intermediate certificates in the peer's certificate chain. In cases of MONGODB-X509, which is not enabled by default, this may lead to improper authentication. This issue may also affect intra-cluster authentication. This issue affects MongoDB Server v5.0 versions prior to 5.0.31, MongoDB Server v6.0 versions prior to 6.0.20, MongoDB Server v7.0 versions prior to 7.0.16 and MongoDB Server v8.0 versions prior to 8.0.4.Required Configuration :MongoDB Server must be running on Linux Operating Systems and CRL revocation status checking must be enabled

CVSS Score has been rated as 8.1

Running certain aggregation operations with the SBE engine may lead to unexpected behavior on MongoDB Server (CVE-2025-6706)

Thu, 26 Jun 2025 14:00:22 GMT

An authenticated user may trigger a use after free that may result in MongoDB Server crash and other unexpected behavior, even if the user does not have authorization to shut down a server.The crash is triggered on affected versions by issuing an aggregation framework operation using a specific combination of rarely-used aggregation pipeline expressions. This issue affects MongoDB Server v6.0 version prior to 6.0.21, MongoDB Server v7.0 version prior to 7.0.17 and MongoDB Server v8.0 version prior to 8.0.4 when the SBE engine is enabled.

CVSS Score has been rated as 5

Race condition in privilege cache invalidation cycle (CVE-2025-6707)

Thu, 26 Jun 2025 14:04:46 GMT

Under certain conditions, an authenticated user request may execute with stale privileges following an intentional change by an authorized administrator. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.24, MongoDB Server v7.0 version prior to 7.0.21 and MongoDB Server v8.0 version prior to 8.0.5.

CVSS Score has been rated as 4.2

Pre-Authentication Denial of Service Vulnerability in MongoDB Server's OIDC Authentication (CVE-2025-6709)

Thu, 26 Jun 2025 14:07:04 GMT

The MongoDB Server is susceptible to a denial of service vulnerability due to improper handling of specific date values in JSON input when using OIDC authentication. This can be reproduced using the mongo shell to send a malicious JSON payload leading to an invariant failure and server crash. This issue affects MongoDB Server v7.0 versions prior to 7.0.17 and MongoDB Server v8.0 versions prior to 8.0.5.The same issue affects MongoDB Server v6.0 versions prior to 6.0.21, but an attacker can only induce denial of service after authenticating.

CVSS Score has been rated as 7.5

Pre-authentication Denial of Service Stack Overflow Vulnerability in JSON Parsing via Excessive Recursion in MongoDB (CVE-2025-6710)

Thu, 26 Jun 2025 14:09:29 GMT

MongoDB Server may be susceptible to stack overflow due to JSON parsing mechanism, where specifically crafted JSON inputs may induce unwarranted levels of recursion, resulting in excessive stack space consumption. Such inputs can lead to a stack overflow that causes the server to crash which could occur pre-authorisation. This issue affects MongoDB Server v7.0 versions prior to 7.0.17 and MongoDB Server v8.0 versions prior to 8.0.5.The same issue affects MongoDB Server v6.0 versions prior to 6.0.21, but an attacker can only induce denial of service after authenticating.

CVSS Score has been rated as 7.5

Certain Queries with Duplicate _id Fields May Cause MongoDB Server to Crash (CVE-2025-7259)

Mon, 07 Jul 2025 15:59:01 GMT

An authorized user can issue queries with duplicate _id fields, that leads to unexpected behavior in MongoDB Server, which may result to crash. This issue can only be triggered by authorized users and cause Denial of Service. This issue affects MongoDB Server v8.1 version 8.1.0.

CVSS Score has been rated as 6.5

Incomplete Redaction of Sensitive Information in MongoDB Server Logs (CVE-2025-6711)

Mon, 07 Jul 2025 14:42:16 GMT

An issue has been identified in MongoDB Server where unredacted queries may inadvertently appear in server logs when certain error conditions are encountered. This issue affects MongoDB Server v8.0 versions prior to 8.0.5, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB Server v6.0 versions prior to 6.0.21.

CVSS Score has been rated as 4.4

MongoDB Server may be susceptible to DoS due to Accumulated Memory Allocation (CVE-2025-6712)

Mon, 07 Jul 2025 14:44:38 GMT

MongoDB Server may be susceptible to disruption caused by high memory usage, potentially leading to server crash. This condition is linked to inefficiencies in memory management related to internal operations. In scenarios where certain internal processes persist longer than anticipated, memory consumption can increase, potentially impacting server stability and availability. This issue affects MongoDB Server v8.0 versions prior to 8.0.10

CVSS Score has been rated as 6.5

MongoDB Server may be susceptible to privilege escalation due to $mergeCursors stage (CVE-2025-6713)

Mon, 07 Jul 2025 14:46:36 GMT

An unauthorized user may leverage a specially crafted aggregation pipeline to access data without proper authorization due to improper handling of the $mergeCursors stage in MongoDB Server. This may lead to access to data without further authorisation. This issue affects MongoDB Server MongoDB Server v8.0 versions prior to 8.0.7, MongoDB Server v7.0 versions prior to 7.0.20 and MongoDB Server v6.0 versions prior to 6.0.22

CVSS Score has been rated as 7.7

Incorrect Handling of incomplete data may prevent mongoS from Accepting New Connections (CVE-2025-6714)

Mon, 07 Jul 2025 14:48:48 GMT

MongoDB Server's mongos component can become unresponsive to new connections due to incorrect handling of incomplete data. This affects MongoDB when configured with load balancer support. This issue affects MongoDB Server v6.0 prior to 6.0.23, MongoDB Server v7.0 prior to 7.0.20 and MongoDB Server v8.0 prior to 8.0.9Required Configuration:This affects MongoDB sharded clusters when configured with load balancer support for mongos using HAProxy on specified ports.

CVSS Score has been rated as 7.5

MongoDB Server router will crash when incorrect lsid is set on a sharded query (CVE-2025-10059)

Fri, 05 Sep 2025 20:26:52 GMT

An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers. This issue occurs when a generic argument (lsid) is provided in a case when it is not applicable. This affects MongoDB Server v6.0 versions prior to 6.0.x, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB Server v8.0 versions prior to 8.0.6.

CVSS Score has been rated as 6.5

MongoDB may be susceptible to Invariant Failure in Transactions due Upsert Operation (CVE-2025-10060)

Fri, 05 Sep 2025 20:39:14 GMT

MongoDB Server may allow upsert operations retried within a transaction to violate unique index constraints, potentially causing an invariant failure and server crash during commit. This issue may be triggered by improper WriteUnitOfWork state management. This issue affects MongoDB Server v6.0 versions prior to 6.0.25, MongoDB Server v7.0 versions prior to 7.0.22 and MongoDB Server v8.0 versions prior to 8.0.12

CVSS Score has been rated as 6.5

Malformed $group Query May Cause MongoDB Server to Crash (CVE-2025-10061)

Fri, 05 Sep 2025 20:48:25 GMT

An authorized user can cause a crash in the MongoDB Server through a specially crafted $group query. This vulnerability is related to the incorrect handling of certain accumulator functions when additional parameters are specified within the $group operation. This vulnerability could lead to denial of service if triggered repeatedly. This issue affects MongoDB Server v6.0 versions prior to 6.0.25, MongoDB Server v7.0 versions prior to 7.0.22, MongoDB Server v8.0 versions prior to 8.0.12 and MongoDB Server v8.1 versions prior to 8.1.2

CVSS Score has been rated as 6.5