CVE-2025-12893Improper Certificate Validation in INC Mongodb Server

CWE-295Improper Certificate Validation4 documents4 sources
Severity
2.3LOWNVD
EPSS
0.0%
top 89.48%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mongodb INC Mongodb ServerMongodb
Timeline
PublishedNov 25

Description

Clients may successfully perform a TLS handshake with a MongoDB server despite presenting a client certificate not aligning with the documented Extended Key Usage (EKU) requirements. A certificate that specifies extendedKeyUsage but is missing extendedKeyUsage = clientAuth may still be successfully authenticated via the TLS handshake as a client. This issue is specific to MongoDB servers running on Windows or Apple as the expected validation behavior functions correctly on Linux systems. Additi

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

CVEListV5mongodb_inc/mongodb_server7.07.0.26+2
NVDmongodb/mongodb7.0.07.0.26+2

🔴Vulnerability Details

3
OSV
CVE-2025-12893: Clients may successfully perform a TLS handshake with a MongoDB server despite presenting a client certificate not aligning with the documented Extend2025-11-25
GHSA
GHSA-wj7q-322r-2rrc: Clients may successfully perform a TLS handshake with a MongoDB server despite presenting a client certificate not aligning with the documented Extend2025-11-25
CVEList
Improper Certificate Validation May Allow Successful TLS Handshaking Despite Invalid Extended Key Usage Fields in MongoDB Server2025-11-25
CVE-2025-12893 — Improper Certificate Validation | cvebase