SecuriTricks - CVE-2025-6707

Description

Under certain conditions, an authenticated user request may execute with stale privileges following an intentional change by an authorized administrator. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.24, MongoDB Server v7.0 version prior to 7.0.21 and MongoDB Server v8.0 version prior to 8.0.5.

Product(s) Impacted

Vendor	Product	Versions
Mongodb	Mongodb Server	5.0, 6.0, 7.0, 8.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-863

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	mongodb	mongodb_server	5.0	<5.0.31>*	/	/	/	/	/	/
a	mongodb	mongodb_server	6.0	<6.0.24>*	/	/	/	/	/	/
a	mongodb	mongodb_server	7.0	<7.0.21>*	/	/	/	/	/	/
a	mongodb	mongodb_server	8.0	<8.0.5>*	/	/	/	/	/	/

References

https://jira.mongodb.org/browse/SERVER-93497

CVSS Score

4.2 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: HIGH
Privileges Required: LOW
Scope: UNCHANGED
Confidentiality Impact: LOW
Integrity Impact: LOW
Availability Impact: NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

View Vector String

Timeline

Published: June 26, 2025, 2:15 p.m.
Last Modified: June 26, 2025, 6:57 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cna@mongodb.com

CVE-2025-6707