CVE-2025-10059

MEDIUM

MongoDB 6.0.0-6.0.23 - Denial of Service via Improper lsid Field Handling

Title source: llm
STIX 2.1

Description

An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers. This issue occurs when a generic argument (lsid) is provided in a case when it is not applicable. This affects MongoDB Server v6.0 versions prior to 6.0.x, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB Server v8.0 versions prior to 8.0.6.

References (2)

Core 2
Core References
Issue Tracking, Vendor Advisory
https://jira.mongodb.org/browse/SERVER-100901
Issue Tracking, Vendor Advisory
https://jira.mongodb.org/browse/SERVER-100909

Scores

CVSS v3 6.5
EPSS 0.0025
EPSS Percentile 16.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-732
Status published
Products (1)
mongodb/mongodb 6.0.0 - 6.0.24
Published Sep 05, 2025
Tracked Since Feb 18, 2026