CVE-2025-10060 — Operation on a Resource after Expiration or Release in INC Mongodb Server

CWE-672 — Operation on a Resource after Expiration or Release4 documents4 sources

Severity

7.5HIGHNVD

CNA6.5

EPSS

0.3%

top 48.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mongodb INC Mongodb Server Mongodb

Timeline

PublishedSep 5

Description

MongoDB Server may allow upsert operations retried within a transaction to violate unique index constraints, potentially causing an invariant failure and server crash during commit. This issue may be triggered by improper WriteUnitOfWork state management. This issue affects MongoDB Server v6.0 versions prior to 6.0.25, MongoDB Server v7.0 versions prior to 7.0.22 and MongoDB Server v8.0 versions prior to 8.0.12

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5mongodb_inc/mongodb_server6.0 — 6.0.25+2

▶NVDmongodb/mongodb6.0.0 — 6.0.25+2

🔴Vulnerability Details

OSV

CVE-2025-10060: MongoDB Server may allow upsert operations retried within a transaction to violate unique index constraints, potentially causing an invariant failure↗2025-09-05

▶

GHSA

GHSA-95w4-863f-9mj3: MongoDB Server may allow upsert operations retried within a transaction to violate unique index constraints, potentially causing an invariant failure↗2025-09-05

▶

CVEList

MongoDB may be susceptible to Invariant Failure in Transactions due Upsert Operation↗2025-09-05

▶