PT-2025-47988 · Mongodb · Mongodb Server+1
Published
2025-11-25
·
Updated
2025-12-06
·
CVE-2025-12893
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
MongoDB Server versions prior to 7.0.26
MongoDB Server versions prior to 8.0.16
MongoDB Server versions prior to 8.2.2
Description
A MongoDB server may incorrectly establish TLS handshakes with clients or servers presenting certificates that do not meet the documented Extended Key Usage (EKU) requirements. Specifically, a client certificate lacking
extendedKeyUsage = clientAuth may be accepted, and a server certificate missing extendedKeyUsage = serverAuth may also be successfully authenticated. This behavior is observed on Windows and Apple systems for client certificates, and on Apple systems for server certificates, as validation functions correctly on Linux.Recommendations
Update MongoDB Server to version 7.0.26 or later.
Update MongoDB Server to version 8.0.16 or later.
Update MongoDB Server to version 8.2.2 or later.
Fix
Improper Certificate Validation
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mongodb Server
Mongodb