CVE-2025-3083

Specifically crafted MongoDB wire protocol messages can cause mongos to crash during command validation. This can occur without using an authenticated connection. This issue affects MongoDB v5.0 versions prior to 5.0.31, MongoDB v6.0 versions prior to 6.0.20 and MongoDB v7.0 versions prior to 7.0.16

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://jira.mongodb.org/browse/SERVER-103152	Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mongodb:mongodb::::::::
	cpe:2.3:a:mongodb:mongodb::::::::
	cpe:2.3:a:mongodb:mongodb::::::::

History

22 Sep 2025, 14:15

Type	Values Removed	Values Added
Summary		(es) Los mensajes de protocolo de conexión MongoDB manipulados específicamente pueden provocar el bloqueo de MongoDB durante la validación de comandos. Esto puede ocurrir sin usar una conexión autenticada. Este problema afecta a MongoDB v5.0 anteriores a la 5.0.31, MongoDB v6.0 anteriores a la 6.0.20 y MongoDB v7.0 anteriores a la 7.0.16.
First Time		Mongodb Mongodb mongodb
CPE		cpe:2.3:a:mongodb:mongodb::::::::
References	~~() https://jira.mongodb.org/browse/SERVER-103152 -~~	() https://jira.mongodb.org/browse/SERVER-103152 - Issue Tracking, Vendor Advisory

01 Apr 2025, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-01 12:15

Updated : 2025-09-22 14:15

NVD link : CVE-2025-3083

Mitre link : CVE-2025-3083

CVE.ORG link : CVE-2025-3083

JSON object : View

Products Affected

mongodb

mongodb

CWE

CWE-248

Uncaught Exception

{"id": "CVE-2025-3083", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cna@mongodb.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-04-01T12:15:15.883", "references": [{"url": "https://jira.mongodb.org/browse/SERVER-103152", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "cna@mongodb.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "cna@mongodb.com", "description": [{"lang": "en", "value": "CWE-248"}]}], "descriptions": [{"lang": "en", "value": "Specifically crafted MongoDB wire protocol messages can cause mongos to crash during command validation. This can occur without using an authenticated connection. This issue affects MongoDB v5.0 versions prior to 5.0.31, \u00a0MongoDB v6.0 versions prior to\u00a06.0.20 and MongoDB v7.0 versions prior to 7.0.16"}, {"lang": "es", "value": "Los mensajes de protocolo de conexi\u00f3n MongoDB manipulados espec\u00edficamente pueden provocar el bloqueo de MongoDB durante la validaci\u00f3n de comandos. Esto puede ocurrir sin usar una conexi\u00f3n autenticada. Este problema afecta a MongoDB v5.0 anteriores a la 5.0.31, MongoDB v6.0 anteriores a la 6.0.20 y MongoDB v7.0 anteriores a la 7.0.16."}], "lastModified": "2025-09-22T14:15:59.510", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "66128ED7-B1B4-44B8-9295-D27461F161EA", "versionEndExcluding": "5.0.31", "versionStartIncluding": "5.0.0"}, {"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F398EABB-311B-4726-A414-537D4EEE1A26", "versionEndExcluding": "6.0.20", "versionStartIncluding": "6.0.0"}, {"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E95B2F98-7920-4A34-8E4F-F01DB87A76FA", "versionEndExcluding": "7.0.16", "versionStartIncluding": "7.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "cna@mongodb.com"}