Data Access Flaw in MongoDB Server Affecting Multiple Versions
CVE-2025-6713

7.7HIGH

Key Information:

Vendor: MongoDB
Status: Mongodb Server
Vendor: CVE Published:; 7 July 2025

What is CVE-2025-6713?

An improper handling of the $mergeCursors stage in MongoDB Server permits unauthorized users to exploit specially crafted aggregation pipelines. This may potentially enable them to access sensitive data without appropriate authorization. The vulnerability impacts various versions of MongoDB Server, specifically those prior to 8.0.7, 7.0.20, and 6.0.22, highlighting the need for users to adopt security measures promptly. For further details, refer to the official MongoDB issue tracker.

Affected Version(s)

MongoDB Server 6.0 < 6.0.22

MongoDB Server 7.0 < 7.0.20

MongoDB Server 8.0 < 8.0.7

References

https://jira.mongodb.org/browse/SERVER-106752

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 7, 2025
Vulnerability Reserved
Jun 26, 2025