CVE-2025-6709

HIGH EPSS 37.0%

Published Jun 26, 20251y ago · Modified Jun 17, 20261w ago

7.5 CVSS 3.1

High

Published Jun 26, 2025 1y ago

Last Modified Jun 17, 2026 1w ago

Description

The MongoDB Server is susceptible to a denial of service vulnerability due to improper handling of specific date values in JSON input when using OIDC authentication. This can be reproduced using the mongo shell to send a malicious JSON payload leading to an invariant failure and server crash. This issue affects MongoDB Server v7.0 versions prior to 7.0.17 and MongoDB Server v8.0 versions prior to 8.0.5. The same issue affects MongoDB Server v6.0 versions prior to 6.0.21, but an attacker can only induce denial of service after authenticating.

CVSS Details

Base Score

7.5

Exploitability

3.9

Impact

3.6

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality None

Integrity None

Availability High

Threat Intelligence

EPSS Exploit Probability

37.0% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-20 Improper Input Validation Validation

Affected Products 3

Vendor	Product	Version	Range
mongodb	mongodb	*	≥6.0.0 – <6.0.21
mongodb	mongodb	*	≥7.0.0 – <7.0.17
mongodb	mongodb	*	≥8.0.0 – <8.0.5

References 1

jira.mongodb.org https://jira.mongodb.org/browse/SERVER-106748

Issue TrackingVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.