CVE-2025-10059

MEDIUM

Mongodb < 6.0.24 - Incorrect Permission Assignment

Title source: rule
STIX 2.1

Description

An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers. This issue occurs when a generic argument (lsid) is provided in a case when it is not applicable. This affects MongoDB Server v6.0 versions prior to 6.0.x, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB Server v8.0 versions prior to 8.0.6.

References (2)

Scores

CVSS v3 6.5
EPSS 0.0006
EPSS Percentile 19.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-732
Status published
Products (1)
mongodb/mongodb 6.0.0 - 6.0.24
Published Sep 05, 2025
Tracked Since Feb 18, 2026