CVE-2025-11979 — Use After Free in INC Server

CWE-416 — Use After Free4 documents4 sources

Severity

6.5MEDIUMNVD

CNA5.3

EPSS

0.1%

top 82.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mongodb INC Server Mongodb

Timeline

PublishedOct 20

Description

An authorized user may crash the MongoDB server by causing buffer over-read. This can be done by issuing a DDL operation while queries are being issued, under some conditions. This issue affects MongoDB Server v7.0 versions prior to 7.0.25, MongoDB Server v8.0 versions prior to 8.0.15, and MongoDB Server version 8.2.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5mongodb_inc/server8.0.0 — 8.0.14+2

▶NVDmongodb/mongodb7.0.0 — 7.0.25+1

🔴Vulnerability Details

CVEList

Use-after-free in the MongoDB server query planner may lead to crash or undefined behavior↗2025-10-20

▶

OSV

CVE-2025-11979: An authorized user may crash the MongoDB server by causing buffer over-read↗2025-10-20

▶

GHSA

GHSA-ghg7-x6j9-jm6p: An authorized user may crash the MongoDB server by causing buffer over-read↗2025-10-20

▶