Improper Setting of lsid Field in MongoDB Routers
CVE-2025-10059

6.5MEDIUM

Key Information:

Vendor: MongoDB
Status: Mongodb Server
Vendor: CVE Published:; 5 September 2025

What is CVE-2025-10059?

An inappropriate configuration of the lsid field in sharded queries may lead to crashes in MongoDB routers. This vulnerability occurs when a generic lsid argument is utilized incorrectly in scenarios where it is not applicable. Affected versions include MongoDB Server v6.0 before 6.0.x, v7.0 before 7.0.18, and v8.0 before 8.0.6. Users are advised to update to the latest versions to mitigate potential disruptions.

Affected Version(s)

MongoDB Server 6.0 < 6.0.24

MongoDB Server 7.0 < 7.0.18

MongoDB Server 8.0 < 8.0.6

References

https://jira.mongodb.org/browse/SERVER-100901

https://jira.mongodb.org/browse/SERVER-100909

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 5, 2025
Vulnerability Reserved
Sep 5, 2025