CVE-2025-13644 — Reachable Assertion in INC Mongodb Server

CWE-617 — Reachable Assertion4 documents4 sources

Severity

7.1HIGHNVD

EPSS

0.1%

top 72.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mongodb INC Mongodb Server Mongodb

Timeline

PublishedNov 25

Description

MongoDB Server may experience an invariant failure during batched delete operations when handling documents. The issue arises when the server mistakenly assumes the presence of multiple documents in a batch based solely on document size exceeding BSONObjMaxSize. This issue affects MongoDB Server v7.0 versions prior to 7.0.26, MongoDB Server v8.0 versions prior to 8.0.13, and MongoDB Server v8.1 versions prior to 8.1.2

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

▶CVEListV5mongodb_inc/mongodb_server8.0 — 8.0.13+2

▶NVDmongodb/mongodb7.0.0 — 7.0.26+3

🔴Vulnerability Details

OSV

CVE-2025-13644: MongoDB Server may experience an invariant failure during batched delete operations when handling documents↗2025-11-25

▶

CVEList

MongoDB may be susceptible to Invariant Failure due to batched delete↗2025-11-25

▶

GHSA

GHSA-73mg-mfgw-wp2f: MongoDB Server may experience an invariant failure during batched delete operations when handling documents↗2025-11-25

▶