CVE-2025-11979 MEDIUM

CVE-2025-11979: Use-after-free in the MongoDB server query planner may lead to crash or undefined behavior

Vendor Mongodb Inc.
Product Server
Weakness CWE-416
Published October 20, 2025
Last update October 20, 2025

CVSS base score

5.3/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

An authorized user may crash the MongoDB server by causing buffer over-read. This can be done by issuing a DDL operation while queries are being issued, under some conditions. This issue affects MongoDB Server v7.0 versions prior to 7.0.25, MongoDB Server v8.0 versions prior to 8.0.15, and MongoDB Server version 8.2.0.

Key dates

02Disclosure timeline

October 20, 2025 CVE published
October 20, 2025 Record updated