Improper Authentication in MongoDB Server on Linux with TLS Configuration
CVE-2025-3085

8.1HIGH

Key Information:

Vendor
MongoDB
Vendor
CVE Published:
1 April 2025

Summary

An improper authentication vulnerability exists in MongoDB Server when running on Linux with TLS enabled and CRL revocation status checking engaged. Under certain conditions, the server fails to verify the revocation status of intermediate certificates in the peer’s certificate chain. This could lead to unauthorized access, particularly when MONGODB-X509 authentication is implemented, which is not enabled by default. The issue also poses a risk to intra-cluster authentication, making it crucial for organizations to ensure that their MongoDB Servers are updated and properly configured.

Affected Version(s)

MongoDB Server 5.0 < 5.0.31

MongoDB Server 6.0 < 6.0.20

MongoDB Server 7.0 < 7.0.16

References

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.