Improper Authentication in MongoDB Server on Linux with TLS Configuration
CVE-2025-3085

8.1HIGH

Key Information:

Vendor: MongoDB
Status: Mongodb Server
Vendor: CVE Published:; 1 April 2025

Summary

An improper authentication vulnerability exists in MongoDB Server when running on Linux with TLS enabled and CRL revocation status checking engaged. Under certain conditions, the server fails to verify the revocation status of intermediate certificates in the peer’s certificate chain. This could lead to unauthorized access, particularly when MONGODB-X509 authentication is implemented, which is not enabled by default. The issue also poses a risk to intra-cluster authentication, making it crucial for organizations to ensure that their MongoDB Servers are updated and properly configured.

Affected Version(s)

MongoDB Server 5.0 < 5.0.31

MongoDB Server 6.0 < 6.0.20

MongoDB Server 7.0 < 7.0.16

References

https://jira.mongodb.org/browse/SERVER-95445

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 1, 2025
Vulnerability Reserved
Apr 1, 2025