CVE-2025-6709 HIGH

CVE-2025-6709: Pre-Authentication Denial of Service Vulnerability in MongoDB Server's OIDC Authentication

Vendor Mongodb Inc

Product MongoDB Server

Weakness CWE-20 · Input validation

Published June 26, 2025

Last update June 26, 2025

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

The MongoDB Server is susceptible to a denial of service vulnerability due to improper handling of specific date values in JSON input when using OIDC authentication. This can be reproduced using the mongo shell to send a malicious JSON payload leading to an invariant failure and server crash. This issue affects MongoDB Server v7.0 versions prior to 7.0.17 and MongoDB Server v8.0 versions prior to 8.0.5. The same issue affects MongoDB Server v6.0 versions prior to 6.0.21, but an attacker can only induce denial of service after authenticating.

Key dates

02Disclosure timeline

June 26, 2025 CVE published

June 26, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-6709

Related vulnerabilities

Identifiers

CVE CVE-2025-6709

CWE CWE-20

CVSS 7.5 / HIGH

Affected versions

Vendor Mongodb Inc

Product MongoDB Server

Affected ≥ 7.0 and < 7.0.17

Vendor Mongodb Inc

Product MongoDB Server

Affected ≥ 8.0 and < 8.0.5

Vendor Mongodb Inc

Product MongoDB Server

Affected ≥ 6.0 and < 6.0.21

CVE-2025-6709: Pre-Authentication Denial of Service Vulnerability in MongoDB Server's OIDC Authentication

01Description

02Disclosure timeline

03References

04Related CVE