CVE-2025-12657 MEDIUM

CVE-2025-12657: Malformed KMIP response may result in access violation

Vendor Mongodb Inc.
Product MongoDB Server
Weakness CWE-754
Published November 3, 2025
Last update November 3, 2025

CVSS base score

5.9/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

The KMIP response parser built into mongo binaries is overly tolerant of certain malformed packets, and may parse them into invalid objects. Later reads of this object can result in read access violations.

Key dates

02Disclosure timeline

November 3, 2025 CVE published
November 3, 2025 Record updated