CVE-2025-14345Improper Locking in INC Mongodb Server

CWE-667Improper Locking5 documents5 sources
Severity
2.3LOWNVD
EPSS
0.1%
top 81.45%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mongodb INC Mongodb ServerMongodb
Timeline
PublishedDec 9

Description

A post-authentication flaw in the network two-phase commit protocol used for cross-shard transactions in MongoDB Server may lead to logical data inconsistencies under specific conditions which are not predictable and exist for a very short period of time. This error can cause the transaction coordination logic to misinterpret the transaction as committed, resulting in inconsistent state on those shards. This may lead to low integrity and availability impact. This issue impacts MongoDB Server v8

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

CVEListV5mongodb_inc/mongodb_server7.07.0.26+2
NVDmongodb/mongodb7.0.07.0.26+3

🔴Vulnerability Details

3
GHSA
GHSA-hp99-hc25-26x7: A post-authentication flaw in the network two-phase commit protocol used for cross-shard transactions in MongoDB Server may lead to logical data incon2025-12-09
OSV
CVE-2025-14345: A post-authentication flaw in the network two-phase commit protocol used for cross-shard transactions in MongoDB Server may lead to logical data incon2025-12-09
CVEList
Cross-Shard Failovers May Lead to Partial Transaction Commit in MongoDB Server2025-12-09

🕵️Threat Intelligence

1
Wiz
CVE-2025-14345 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-14345 — Improper Locking in INC Mongodb Server | cvebase