PT-2025-37717 · Mongodb · Mongodb Server
Published
2025-09-15
·
Updated
2025-09-20
·
CVE-2025-10491
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
MongoDB Server versions prior to 6.0.25
MongoDB Server versions prior to 7.0.21
MongoDB Server versions prior to 8.0.5
Description
The MongoDB Windows installation MSI may leave Access Control Lists (ACLs) unset on custom installation directories, potentially allowing a local attacker to introduce executable code into MongoDB’s process via DLL hijacking. DLL hijacking is a technique where a malicious Dynamic Link Library (DLL) is placed in a location where the application will load it instead of the legitimate DLL.
Recommendations
Update MongoDB Server to version 6.0.25 or later.
Update MongoDB Server to version 7.0.21 or later.
Update MongoDB Server to version 8.0.5 or later.
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mongodb Server