CVE-2025-6713

HIGH

MongoDB 6.0.0-6.0.21 - Unauthenticated Data Access via $mergeCursors Stage

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-6713. PoCs published by c137req.

AI-analyzed exploit summary This PoC demonstrates an authorization bypass in MongoDB via improper handling of the `$mergeCursors` aggregation stage, allowing unauthorized access to restricted collections. The script sets up test data and executes a malicious aggregation pipeline to leak data from a restricted collection.

Description

An unauthorized user may leverage a specially crafted aggregation pipeline to access data without proper authorization due to improper handling of the $mergeCursors stage in MongoDB Server. This may lead to access to data without further authorisation. This issue affects MongoDB Server MongoDB Server v8.0 versions prior to 8.0.7, MongoDB Server v7.0 versions prior to 7.0.19 and MongoDB Server v6.0 versions prior to 6.0.22

Exploits (1)

nomisec WORKING POC 1 stars

by c137req · poc

https://github.com/c137req/CVE-2025-6713

View Code ZIP pw:eip

This PoC demonstrates an authorization bypass in MongoDB via improper handling of the `$mergeCursors` aggregation stage, allowing unauthorized access to restricted collections. The script sets up test data and executes a malicious aggregation pipeline to leak data from a restricted collection.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: MongoDB >v8.0 <8.0.7, >v7.0 <7.0.19, >v6.0 <6.0.22

Auth required

Prerequisites: Access to a MongoDB instance with a public collection and a restricted collection · Valid credentials for the MongoDB instance

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1222 - File and Directory Permissions Modification

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Issue Tracking, Vendor Advisory

https://jira.mongodb.org/browse/SERVER-106752

Scores

CVSS v3 7.7

EPSS 0.0034

EPSS Percentile 25.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-285

Status published

Products (1)

mongodb/mongodb 6.0.0 - 6.0.22

Published Jul 07, 2025

Tracked Since Feb 18, 2026