CVE-2025-3085
published 2025-04-01CVE-2025-3085: A MongoDB server under specific conditions running on Linux with TLS and CRL revocation status checking enabled, fails to check the revocation status of the…
PriorityP358critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.26%
16.8th percentile
A MongoDB server under specific conditions running on Linux with TLS and CRL revocation status checking enabled, fails to check the revocation status of the intermediate certificates in the peer's certificate chain. In cases of MONGODB-X509, which is not enabled by default, this may lead to improper authentication. This issue may also affect intra-cluster authentication. This issue affects MongoDB Server v5.0 versions prior to 5.0.31, MongoDB Server v6.0 versions prior to 6.0.20, MongoDB Server v7.0 versions prior to 7.0.16 and MongoDB Server v8.0 versions prior to 8.0.4.
Required Configuration : MongoDB Server must be running on Linux Operating Systems and CRL revocation status checking must be enabled
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mongodb | mongodb | >= 5.0.0 < 5.0.31 | 5.0.31 |
| mongodb | mongodb | >= 6.0.0 < 6.0.20 | 6.0.20 |
| mongodb | mongodb | >= 7.0.0 < 7.0.16 | 7.0.16 |
| mongodb | mongodb | >= 8.0.0 < 8.0.4 | 8.0.4 |
| mongodb_inc | mongodb_server | >= 5.0 < 5.0.31 | 5.0.31 |
| mongodb_inc | mongodb_server | >= 6.0 < 6.0.20 | 6.0.20 |
| mongodb_inc | mongodb_server | >= 7.0 < 7.0.16 | 7.0.16 |
| mongodb_inc | mongodb_server | >= 8.0. < 8.0.4 | 8.0.4 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v8j7-gw8h-m2j4: A MongoDB server under specific conditions running on Linux with TLS and CRL revocation status checking enabled, fails to check the revocation status
ghsa_unreviewed·2025-04-01
CVE-2025-3085 [HIGH] CWE-299 GHSA-v8j7-gw8h-m2j4: A MongoDB server under specific conditions running on Linux with TLS and CRL revocation status checking enabled, fails to check the revocation status
A MongoDB server under specific conditions running on Linux with TLS and CRL revocation status checking enabled, fails to check the revocation status of the intermediate certificates in the peer's certificate chain. In cases of MONGODB-X509, which is not enabled by default, this may lead to improper authentication. This issue may also affect intra-cluster authentication. This issue affects MongoDB Server v5.0 versions prior to 5.0.31, MongoDB Server v6.0 versions prior to 6.0.20, MongoDB Server v7.0 versions prior to 7.0.16 and MongoDB Server v8.0 versions prior to 8.0.4.
Required Configuration : MongoDB Server must be running on Linux Operating Systems and CRL revocation status checking must be enabled
OSV
CVE-2025-3085: A MongoDB server under specific conditions running on Linux with TLS and CRL revocation status checking enabled, fails to check the revocation status
osv·2025-04-01·CVSS 9.8
CVE-2025-3085 [CRITICAL] CVE-2025-3085: A MongoDB server under specific conditions running on Linux with TLS and CRL revocation status checking enabled, fails to check the revocation status
A MongoDB server under specific conditions running on Linux with TLS and CRL revocation status checking enabled, fails to check the revocation status of the intermediate certificates in the peer's certificate chain. In cases of MONGODB-X509, which is not enabled by default, this may lead to improper authentication. This issue may also affect intra-cluster authentication. This issue affects MongoDB Server v5.0 versions prior to 5.0.31, MongoDB Server v6.0 versions prior to 6.0.20, MongoDB Server v7.0 versions prior to 7.0.16 and MongoDB Server v8.0 versions prior to 8.0.4. Required Configuration : MongoDB Server must be running on Linux Operating Systems and CRL revocation status checking must be enabled
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-04-01
Published