MongoDB 7.0.4
Approved changes feed: RSS · Atom
cpe:2.3:a:mongodb:mongodb:7.0.4:*:*:*:*:*:*:*
part: a version: 7.0.4 update: *
| Vendor | Mongodb (1aa156a6-63a9-5032-baaf-10197d408a1e) |
|---|---|
| Product | Mongodb (fa9f1f9b-0cc9-5830-a189-b908276ac432) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from NVD CPE 2.0 feed |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:deb/debian/mongodb |
purl2cpe | 2026-06-01 10:11:17.930555 |
pkg:deb/ubuntu/mongodb |
purl2cpe | 2026-06-01 10:11:17.930556 |
pkg:github/mongodb/mongo |
purl2cpe | 2026-06-01 10:11:17.930557 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2025-6714 |
vulnerable | 2026-06-03 15:12:28.711022 |
Incorrect Handling of incomplete data may prevent mongoS from Accepting New Connections
HIGH (7.5)
MongoDB Server's mongos component can become unresponsive to new connections due to incorrect handling of incomplete data. This affects MongoDB when configured with load balancer support. This issue affects MongoDB Server v6.0 prior to 6.0.23, MongoDB Server v7.0 prior to 7.0.20 and MongoDB Server v8.0 prior to 8.0.9
Required Configuration:
This affects MongoDB sharded clusters when configured with load balancer support for mongos using HAProxy on specified ports.
Published: 2025-07-07T14:48:48.312Z
Updated: 2025-07-07T19:11:47.975Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-6713 |
vulnerable | 2026-06-03 15:12:28.707434 |
MongoDB Server may be susceptible to privilege escalation due to $mergeCursors stage
HIGH (7.7)
An unauthorized user may leverage a specially crafted aggregation pipeline to access data without proper authorization due to improper handling of the $mergeCursors stage in MongoDB Server. This may lead to access to data without further authorisation. This issue affects MongoDB Server MongoDB Server v8.0 versions prior to 8.0.7, MongoDB Server v7.0 versions prior to 7.0.19 and MongoDB Server v6.0 versions prior to 6.0.22
Published: 2025-07-07T14:46:36.201Z
Updated: 2025-07-18T05:50:23.153Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-6711 |
vulnerable | 2026-06-03 15:12:28.670968 |
Incomplete Redaction of Sensitive Information in MongoDB Server Logs
MEDIUM (4.4)
An issue has been identified in MongoDB Server where unredacted queries may inadvertently appear in server logs when certain error conditions are encountered. This issue affects MongoDB Server v8.0 versions prior to 8.0.5, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB Server v6.0 versions prior to 6.0.21.
Published: 2025-07-07T14:42:16.562Z
Updated: 2025-07-07T14:58:08.477Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-6710 |
vulnerable | 2026-06-03 15:12:28.667822 |
Pre-authentication Denial of Service Stack Overflow Vulnerability in JSON Parsing via Excessive Recursion in MongoDB
HIGH (7.5)
MongoDB Server may be susceptible to stack overflow due to JSON parsing mechanism, where specifically crafted JSON inputs may induce unwarranted levels of recursion, resulting in excessive stack space consumption. Such inputs can lead to a stack overflow that causes the server to crash which could occur pre-authorisation. This issue affects MongoDB Server v7.0 versions prior to 7.0.17 and MongoDB Server v8.0 versions prior to 8.0.5.
The same issue affects MongoDB Server v6.0 versions prior to 6.0.21, but an attacker can only induce denial of service after authenticating.
Published: 2025-06-26T14:09:29.581Z
Updated: 2025-06-26T17:35:01.659Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-6709 |
vulnerable | 2026-06-03 15:12:28.658561 |
Pre-Authentication Denial of Service Vulnerability in MongoDB Server's OIDC Authentication
HIGH (7.5)
The MongoDB Server is susceptible to a denial of service vulnerability due to improper handling of specific date values in JSON input when using OIDC authentication. This can be reproduced using the mongo shell to send a malicious JSON payload leading to an invariant failure and server crash. This issue affects MongoDB Server v7.0 versions prior to 7.0.17 and MongoDB Server v8.0 versions prior to 8.0.5.
The same issue affects MongoDB Server v6.0 versions prior to 6.0.21, but an attacker can only induce denial of service after authenticating.
Published: 2025-06-26T14:07:04.979Z
Updated: 2025-06-26T17:39:12.683Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-6707 |
vulnerable | 2026-06-03 15:12:28.641965 |
Race condition in privilege cache invalidation cycle
MEDIUM (4.2)
Under certain conditions, an authenticated user request may execute with stale privileges following an intentional change by an authorized administrator. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.24, MongoDB Server v7.0 version prior to 7.0.21 and MongoDB Server v8.0 version prior to 8.0.5.
Published: 2025-06-26T14:04:46.283Z
Updated: 2026-02-26T17:50:22.191Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-6706 |
vulnerable | 2026-06-03 15:12:28.593217 |
Running certain aggregation operations with the SBE engine may lead to unexpected behavior on MongoDB Server
MEDIUM (5)
An authenticated user may trigger a use after free that may result in MongoDB Server crash and other unexpected behavior, even if the user does not have authorization to shut down a server.
The crash is triggered on affected versions by issuing an aggregation framework operation using a specific combination of rarely-used aggregation pipeline expressions. This issue affects MongoDB Server v6.0 version prior to 6.0.21, MongoDB Server v7.0 version prior to 7.0.17 and MongoDB Server v8.0 version prior to 8.0.4 when the SBE engine is enabled.
Published: 2025-06-26T14:00:22.802Z
Updated: 2025-06-26T17:40:45.307Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-3085 |
vulnerable | 2026-06-03 15:01:03.623983 |
MongoDB Server running on Linux may allow unexpected connections where intermediate certificates are revoked
HIGH (8.1)
A MongoDB server under specific conditions running on Linux with TLS and CRL revocation status checking enabled, fails to check the revocation status of the intermediate certificates in the peer's certificate chain. In cases of MONGODB-X509, which is not enabled by default, this may lead to improper authentication. This issue may also affect intra-cluster authentication. This issue affects MongoDB Server v5.0 versions prior to 5.0.31, MongoDB Server v6.0 versions prior to 6.0.20, MongoDB Server v7.0 versions prior to 7.0.16 and MongoDB Server v8.0 versions prior to 8.0.4.
Required Configuration : MongoDB Server must be running on Linux Operating Systems and CRL revocation status checking must be enabled
Published: 2025-04-01T12:05:05.401Z
Updated: 2025-04-01T13:03:02.701Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-3084 |
vulnerable | 2026-06-03 15:01:03.603890 |
MongoDB Server may crash due to improper validation of explain command
MEDIUM (6.5)
When run on commands with certain arguments set, explain may fail to validate these arguments before using them. This can lead to crashes in router servers. This affects MongoDB Server v5.0 prior to 5.0.31, MongoDB Server v6.0 prior to 6.0.20, MongoDB Server v7.0 prior to 7.0.16 and MongoDB Server v8.0 prior to 8.0.4
Published: 2025-04-01T11:14:19.784Z
Updated: 2025-04-01T13:10:04.793Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-3083 |
vulnerable | 2026-06-03 15:01:03.591885 |
Malformed MongoDB wire protocol messages may cause mongos to crash
HIGH (7.5)
Specifically crafted MongoDB wire protocol messages can cause mongos to crash during command validation. This can occur without using an authenticated connection. This issue affects MongoDB v5.0 versions prior to 5.0.31, MongoDB v6.0 versions prior to 6.0.20 and MongoDB v7.0 versions prior to 7.0.16
Published: 2025-04-01T11:12:31.268Z
Updated: 2025-04-01T13:18:48.632Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-3082 |
vulnerable | 2026-06-03 15:01:03.575082 |
User may override a view's collation and gain unauthorized access to underlying data
LOW (3.1)
A user authorized to access a view may be able to alter the intended collation, allowing them to access to a different or unintended view of underlying data. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.20, MongoDB Server v7.0 version prior to 7.0.14 and MongoDB Server v7.3 versions prior to 7.3.4.
Published: 2025-04-01T11:08:06.589Z
Updated: 2025-04-01T15:14:39.348Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0755 |
vulnerable | 2026-06-03 14:58:32.853912 |
MongoDB C Driver bson library may be susceptible to buffer overflow
HIGH (8.4)
The various bson_append functions in the MongoDB C driver library may be susceptible to buffer overflow when performing operations that could result in a final BSON document which exceeds the maximum allowable size (INT32_MAX), resulting in a segmentation fault and possible application crash. This issue affected libbson versions prior to 1.27.5, MongoDB Server v8.0 versions prior to 8.0.1 and MongoDB Server v7.0 versions prior to 7.0.16
Published: 2025-03-18T09:01:04.793Z
Updated: 2025-11-03T19:35:09.738Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8305 |
vulnerable | 2026-06-03 14:58:18.086265 |
MongoDB Server secondaries may crash due to forced index constraints
MEDIUM (6.5)
prepareUnique index may cause secondaries to crash due to incorrect enforcement of index constraints on secondaries, where in extreme cases may cause multiple secondaries crashing leading to no primaries. This issue affects MongoDB Server v6.0 versions prior to 6.0.17, MongoDB Server v7.0 versions prior to 7.0.13 and MongoDB Server v7.3 versions prior to 7.3.4
Published: 2024-10-21T14:10:31.079Z
Updated: 2024-10-21T15:50:06.751Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-7553 |
vulnerable | 2026-06-03 14:58:06.156143 |
Accessing Untrusted Directory May Allow Local Privilege Escalation
HIGH (7.3)
Incorrect validation of files loaded from a local untrusted directory may allow local privilege escalation if the underlying operating systems is Windows. This may result in the application executing arbitrary behaviour determined by the contents of untrusted files. This issue affects MongoDB Server v5.0 versions prior to 5.0.27, MongoDB Server v6.0 versions prior to 6.0.16, MongoDB Server v7.0 versions prior to 7.0.12, MongoDB Server v7.3 versions prior 7.3.3, MongoDB C Driver versions prior to 1.26.2 and MongoDB PHP Driver versions prior to 1.18.1.
Required Configuration:
Only environments with Windows as the underlying operating system is affected by this issue
Published: 2024-08-07T09:57:49.818Z
Updated: 2024-08-07T15:27:46.258Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-3372 |
vulnerable | 2026-06-03 14:56:24.180209 |
MongoDB Server may have unexpected application behaviour due to invalid BSON
HIGH (7.5)
Improper validation of certain metadata input may result in the server not correctly serialising BSON. This can be performed pre-authentication and may cause unexpected application behavior including unavailability of serverStatus responses. This issue affects MongoDB Server v7.0 versions prior to 7.0.6, MongoDB Server v6.0 versions prior to 6.0.14 and MongoDB Server v.5.0 versions prior to 5.0.25.
Published: 2024-05-14T13:24:05.097Z
Updated: 2024-08-01T20:12:06.488Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-10921 |
vulnerable | 2026-06-03 14:54:12.950861 |
Improper neutralization of null bytes may lead to buffer over-reads in MongoDB Server
MEDIUM (6.8)
An authorized user may trigger crashes or receive the contents of buffer over-reads of Server memory by issuing specially crafted requests that construct malformed BSON in the MongoDB Server. This issue affects MongoDB Server v5.0 versions prior to 5.0.30 , MongoDB Server v6.0 versions prior to 6.0.19, MongoDB Server v7.0 versions prior to 7.0.15 and MongoDB Server v8.0 versions prior to and including 8.0.2.
Published: 2024-11-14T16:04:04.062Z
Updated: 2024-11-15T09:45:56.720Z Reference links |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.