CVE-2025-6713Improper Authorization in INC Mongodb Server

CWE-285Improper Authorization4 documents4 sources
Severity
6.5MEDIUMNVD
CNA7.7
EPSS
0.1%
top 71.79%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mongodb INC Mongodb ServerMongodb
Timeline
PublishedJul 7

Description

An unauthorized user may leverage a specially crafted aggregation pipeline to access data without proper authorization due to improper handling of the $mergeCursors stage in MongoDB Server. This may lead to access to data without further authorisation. This issue affects MongoDB Server MongoDB Server v8.0 versions prior to 8.0.7, MongoDB Server v7.0 versions prior to 7.0.19 and MongoDB Server v6.0 versions prior to 6.0.22

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

CVEListV5mongodb_inc/mongodb_server6.06.0.22+2
NVDmongodb/mongodb6.0.06.0.22+2

🔴Vulnerability Details

3
OSV
CVE-2025-6713: An unauthorized user may leverage a specially crafted aggregation pipeline to access data without proper authorization due to improper handling of the2025-07-07
GHSA
GHSA-p3jv-2cpc-349v: An unauthorized user may leverage a specially crafted aggregation pipeline to access data without proper authorization due to improper handling of the2025-07-07
CVEList
MongoDB Server may be susceptible to privilege escalation due to $mergeCursors stage2025-07-07
CVE-2025-6713 — Improper Authorization | cvebase