CVE-2025-12657Improper Check for Unusual or Exceptional Conditions in INC Mongodb Server

CWE-754Improper Check for Unusual or Exceptional ConditionsCWE-416Use After Free5 documents5 sources
Severity
5.9MEDIUMNVD
EPSS
0.0%
top 84.93%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mongodb INC Mongodb ServerMongodb
Timeline
PublishedNov 3

Description

The KMIP response parser built into mongo binaries is overly tolerant of certain malformed packets, and may parse them into invalid objects. Later reads of this object can result in read access violations.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

NVDmongodb/mongodb6.0.07.0.22+1
CVEListV5mongodb_inc/mongodb_server6.07.0.22+1

🔴Vulnerability Details

3
CVEList
Malformed KMIP response may result in access violation2025-11-03
OSV
CVE-2025-12657: The KMIP response parser built into mongo binaries is overly tolerant of certain malformed packets, and may parse them into invalid objects2025-11-03
GHSA
GHSA-7vcx-r7wm-hfxx: The KMIP response parser built into mongo binaries is overly tolerant of certain malformed packets, and may parse them into invalid objects2025-11-03

📋Vendor Advisories

1
Microsoft
An issue was discovered in the Linux kernel before 5.6.5. There is a use-after-free in block/bfq-iosched.c related to bfq_idle_slice_timer_body.2020-05-12
CVE-2025-12657 — INC Mongodb Server vulnerability | cvebase