CVE-2025-6713

HIGH

Mongodb < 6.0.22 - Improper Authorization

Title source: rule

Description

An unauthorized user may leverage a specially crafted aggregation pipeline to access data without proper authorization due to improper handling of the $mergeCursors stage in MongoDB Server. This may lead to access to data without further authorisation. This issue affects MongoDB Server MongoDB Server v8.0 versions prior to 8.0.7, MongoDB Server v7.0 versions prior to 7.0.19 and MongoDB Server v6.0 versions prior to 6.0.22

Exploits (1)

nomisec WORKING POC 1 stars

by c137req · poc

https://github.com/c137req/CVE-2025-6713

View Code ZIP pw:eip

References (1)

[Issue Tracking, Vendor Advisory] https://jira.mongodb.org/browse/SERVER-106752

Scores

CVSS v3 7.7

EPSS 0.0011

EPSS Percentile 29.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-285

Status published

Products (1)

mongodb/mongodb 6.0.0 - 6.0.22

Published Jul 07, 2025

Tracked Since Feb 18, 2026