Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-10059

An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers. This issue occurs when a generic argument (lsid) is provided in a case when it is not applicable. This affects MongoDB Server v6.0 versions prior to 6.0.x, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB Server v8.0 versions prior to 8.0.6.

Published

2025-09-05T21:15:34.773

Last Modified

2025-09-22T16:55:12.757

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

Weaknesses

Type: Secondary
CWE-732

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	mongodb	mongodb	< 6.0.24	Yes
Application	mongodb	mongodb	< 7.0.18	Yes
Application	mongodb	mongodb	< 8.0.6	Yes

References

https://jira.mongodb.org/browse/SERVER-100901 Issue Tracking, Vendor Advisory ([email protected])
https://jira.mongodb.org/browse/SERVER-100909 Issue Tracking, Vendor Advisory ([email protected])