cbcvebase.
CVE-2025-10059
published 2025-09-05

CVE-2025-10059: An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers. This issue occurs when a generic argument (lsid) is provided…

PriorityP336medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
0.25%
16.6th percentile
An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers. This issue occurs when a generic argument (lsid) is provided in a case when it is not applicable. This affects MongoDB Server v6.0 versions prior to 6.0.x, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB Server v8.0 versions prior to 8.0.6.

Affected

6 ranges
VendorProductVersion rangeFixed in
mongodbmongodb>= 6.0.0 < 6.0.246.0.24
mongodbmongodb>= 7.0.0 < 7.0.187.0.18
mongodbmongodb>= 8.0.0 < 8.0.68.0.6
mongodb_incmongodb_server>= 6.0 < 6.0.246.0.24
mongodb_incmongodb_server>= 7.0 < 7.0.187.0.18
mongodb_incmongodb_server>= 8.0 < 8.0.68.0.6

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv6.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.