CVE-2025-10059
published 2025-09-05CVE-2025-10059: An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers. This issue occurs when a generic argument (lsid) is provided…
PriorityP336medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
0.25%
16.6th percentile
An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers. This issue occurs when a generic argument (lsid) is provided in a case when it is not applicable. This affects MongoDB Server v6.0 versions prior to 6.0.x, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB Server v8.0 versions prior to 8.0.6.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mongodb | mongodb | >= 6.0.0 < 6.0.24 | 6.0.24 |
| mongodb | mongodb | >= 7.0.0 < 7.0.18 | 7.0.18 |
| mongodb | mongodb | >= 8.0.0 < 8.0.6 | 8.0.6 |
| mongodb_inc | mongodb_server | >= 6.0 < 6.0.24 | 6.0.24 |
| mongodb_inc | mongodb_server | >= 7.0 < 7.0.18 | 7.0.18 |
| mongodb_inc | mongodb_server | >= 8.0 < 8.0.6 | 8.0.6 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2025-10059: An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers
osv·2025-09-05·CVSS 6.5
CVE-2025-10059 [MEDIUM] CVE-2025-10059: An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers
An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers. This issue occurs when a generic argument (lsid) is provided in a case when it is not applicable. This affects MongoDB Server v6.0 versions prior to 6.0.x, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB Server v8.0 versions prior to 8.0.6.
GHSA
GHSA-5c77-c99v-84gc: An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers
ghsa_unreviewed·2025-09-05
CVE-2025-10059 [MEDIUM] CWE-732 GHSA-5c77-c99v-84gc: An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers
An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers. This issue occurs when a generic argument (lsid) is provided in a case when it is not applicable. This affects MongoDB Server v6.0 versions prior to 6.0.x, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB Server v8.0 versions prior to 8.0.6.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-09-05
Published