CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-3083: Malformed MongoDB wire protocol messages may cause mongos to crash

7.5 CVSS

Description

Specifically crafted MongoDB wire protocol messages can cause mongos to crash during command validation. This can occur without using an authenticated connection. This issue affects MongoDB v5.0 versions prior to 5.0.31, MongoDB v6.0 versions prior to 6.0.20 and MongoDB v7.0 versions prior to 7.0.16

Classification

CVE ID: CVE-2025-3083

CVSS Base Severity: HIGH

CVSS Base Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem Types

CWE-248: Uncaught Exception

Affected Products

Vendor: MongoDB Inc

Product: MongoDB Server

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 16.4% (scored less or equal to compared to others)

EPSS Date: 2025-04-30 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-3083
https://jira.mongodb.org/browse/SERVER-103152

Timeline

2025-04-01 12:40:18 UTC
CVE

Malformed MongoDB wire protocol messages may cause mongos to crash