SecuriTricks - CVE-2025-6709

Description

The MongoDB Server is susceptible to a denial of service vulnerability due to improper handling of specific date values in JSON input when using OIDC authentication. This can be reproduced using the mongo shell to send a malicious JSON payload leading to an invariant failure and server crash. This issue affects MongoDB Server v7.0 versions prior to 7.0.17 and MongoDB Server v8.0 versions prior to 8.0.5. The same issue affects MongoDB Server v6.0 versions prior to 6.0.21, but an attacker can only induce denial of service after authenticating.

Product(s) Impacted

Vendor	Product	Versions
Mongodb	Mongodb Server	<7.0.17, <8.0.5, <6.0.21

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	mongodb	mongodb_server	<7.0.17	/	/	/	/	/	/	/
a	mongodb	mongodb_server	<8.0.5	/	/	/	/	/	/	/
a	mongodb	mongodb_server	<6.0.21	/	/	/	/	/	/	/

References

https://jira.mongodb.org/browse/SERVER-106748

CVSS Score

7.5 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

View Vector String

Timeline

Published: June 26, 2025, 2:15 p.m.
Last Modified: June 26, 2025, 6:57 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cna@mongodb.com

CVE-2025-6709