Denial of Service Vulnerability in MongoDB by MongoDB, Inc.
CVE-2025-3083

7.5HIGH

Key Information:

Vendor
MongoDB
Status
Mongodb Server
Vendor
CVE Published:
1 April 2025

What is CVE-2025-3083?

CVE-2025-3083 is a denial of service vulnerability found in MongoDB, a popular NoSQL database designed for handling large volumes of structured and unstructured data. This vulnerability arises from the processing of specially crafted messages over the MongoDB wire protocol, allowing attackers to crash the mongos routing service during command validation. The flaw exists in specific versions of MongoDB, making it critical for organizations that rely on this database for their applications and data management. The potential for disruption without requiring an authenticated connection could lead to significant service downtime and operational challenges for organizations.

Technical Details

The vulnerability is rooted in how MongoDB handles incoming requests through its wire protocol. Specifically, maliciously crafted messages can exploit weaknesses during the command validation phase, leading to the failure of the mongos component, which acts as a query router for sharded clusters. The affected MongoDB versions include those prior to 5.0.31, 6.0.20, and 7.0.16. Importantly, the exploit can be executed without needing access credentials, which increases the risk of unauthorized denial of service attacks.

Potential Impact of CVE-2025-3083

  1. Service Disruption: The primary impact of this vulnerability is the potential for widespread service disruption, as compromising the mongos routing layer could lead to complete outages of applications that depend on MongoDB for their data services.

  2. Operational Challenges: Continuous crashes due to the exploitation of CVE-2025-3083 may impede business operations, leading to downtime that affects not only database availability but also the productivity of teams relying on that data.

  3. Resource Drain: Organizations might incur additional costs due to the need to allocate IT resources for incident response and recovery efforts, alongside potential impacts on customer trust and satisfaction due to degraded service experiences.

Affected Version(s)

MongoDB Server 5.0 < 5.0.31

MongoDB Server 6.0 < 6.0.20

MongoDB Server 7.0. < 7.0.16

References

https://jira.mongodb.org/browse/SERVER-103152

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.