CVE-2025-13644

MEDIUM

Mongodb < 7.0.26 - Reachable Assertion

Title source: rule

Description

MongoDB Server may experience an invariant failure during batched delete operations when handling documents. The issue arises when the server mistakenly assumes the presence of multiple documents in a batch based solely on document size exceeding BSONObjMaxSize. This issue affects MongoDB Server v7.0 versions prior to 7.0.26, MongoDB Server v8.0 versions prior to 8.0.13, and MongoDB Server v8.1 versions prior to 8.1.2

References (1)

[Vendor Advisory] https://jira.mongodb.org/browse/SERVER-101180

Scores

CVSS v3 6.5

EPSS 0.0003

EPSS Percentile 7.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-617

Status published

Products (2)

mongodb/mongodb 8.2.0 alpha (4 CPE variants)

mongodb/mongodb 7.0.0 - 7.0.26

Published Nov 25, 2025

Tracked Since Feb 18, 2026