CVE-2025-6706

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: MongoDB Server versions prior to 6.0.21 MongoDB Server versions prior to 7.0.17 MongoDB Server versions prior to 8.0.4

Description: An authenticated user may trigger a use after free, resulting in a MongoDB Server crash and other unexpected behavior, even without authorization to shut down a server. This issue is triggered by issuing an aggregation framework operation using a specific combination of rarely-used aggregation pipeline expressions when the SBE engine is enabled.

Recommendations: For MongoDB Server versions prior to 6.0.21, update to version 6.0.21 or later. For MongoDB Server versions prior to 7.0.17, update to version 7.0.17 or later. For MongoDB Server versions prior to 8.0.4, update to version 8.0.4 or later.

Fix

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-416

Related Identifiers

ALT-PU-2025-8810

ALT-PU-2025-9742

ALT-PU-2025-9750

ALT-PU-2025-9809

BDU:2025-11758

BIT-MONGODB-2025-6706

CVE-2025-6706

Affected Products

Alt Linux

Mongodb Server

Mongodb

Red Os

CVE-2025-6706

Weakness Enumeration

Related Identifiers

Affected Products

References · 16