CVE-2025-10059

Published: Sep 5, 2025Modified: Sep 22, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Exploitability: 2.8 / Impact: 3.6

Source: CNA (Secondary)

Description

An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers. This issue occurs when a generic argument (lsid) is provided in a case when it is not applicable. This affects MongoDB Server v6.0 versions prior to 6.0.x, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB Server v8.0 versions prior to 8.0.6.

Affected (3)

Products: Mongodb: Mongodb

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Mongodb Mongodb	From 6.0.0 to 6.0.24
Mongodb Mongodb	From 7.0.0 to 7.0.18
Mongodb Mongodb	From 8.0.0 to 8.0.6

Related CWEs

Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References (2)

https://jira.mongodb.org/browse/SERVER-100901

Source: cna@mongodb.com

Issue TrackingVendor Advisory

https://jira.mongodb.org/browse/SERVER-100909

Source: cna@mongodb.com

Issue TrackingVendor Advisory

Timeline

No history available yet.