TLS Handshake Vulnerability in MongoDB Server for Windows and Apple
CVE-2025-12893

2.3LOW

Key Information:

Vendor: MongoDB
Status: Mongodb Server
Vendor: CVE Published:; 25 November 2025

What is CVE-2025-12893?

This vulnerability allows clients to complete a TLS handshake with MongoDB servers despite presenting a client certificate that does not meet the Extended Key Usage (EKU) requirements. Specifically, client certificates lacking the 'clientAuth' specification may still be authenticated successfully. This problem is notably present in MongoDB Server when operating on Windows or Apple environments, as these systems do not enforce the expected certificate validation behavior seen in Linux. Furthermore, MongoDB servers on Apple can establish outgoing TLS connections with servers presenting invalid server certificates that do not fulfill the necessary EKU requirements, again bypassing authentication checks. This allows potential misconfigurations that could lead to unauthorized access.

Affected Version(s)

MongoDB Server MacOS 7.0 < 7.0.26

MongoDB Server MacOS 8.0 < 8.0.16

MongoDB Server MacOS 8.2 < 8.2.2

References

https://jira.mongodb.org/browse/SERVER-105783

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Nov 25, 2025
Vulnerability Reserved
Nov 7, 2025

JSON