CVE-2025-10059
Last modified
CVE-2025-10059 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers. This issue occurs when a generic argument (lsid) is provided in a case when it is not applicable. EPSS estimates a 0.25% chance of exploitation in the next 30 days.
Description
An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers. This issue occurs when a generic argument (lsid) is provided in a case when it is not applicable. This affects MongoDB Server v6.0 versions prior to 6.0.x, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB Server v8.0 versions prior to 8.0.6.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Mongodb | Mongodb | >= 6.0.0, < 6.0.24 |
| Mongodb | Mongodb | >= 7.0.0, < 7.0.18 |
| Mongodb | Mongodb | >= 8.0.0, < 8.0.6 |
References
- https://jira.mongodb.org/browse/SERVER-100901Issue Tracking, Vendor Advisory
- https://jira.mongodb.org/browse/SERVER-100909Issue Tracking, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-10059?
How severe is CVE-2025-10059?
How do I fix CVE-2025-10059?
Are you affected by CVE-2025-10059?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST