CVE-2025-10061
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-05

Last updated on: 2025-11-13

Assigner: MongoDB, Inc.

Description
An authorized user can cause a crash in the MongoDB Server through a specially crafted $group query. This vulnerability is related to the incorrect handling of certain accumulator functions when additional parameters are specified within the $group operation. This vulnerability could lead to denial of service if triggered repeatedly. This issue affects MongoDB Server v6.0 versions prior to 6.0.25, MongoDB Server v7.0 versions prior to 7.0.22, MongoDB Server v8.0 versions prior to 8.0.12 and MongoDB Server v8.1 versions prior to 8.1.2
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-05
Last Modified
2025-11-13
Generated
2026-06-16
AI Q&A
2025-09-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-10061
EUVD
EUVD-2025-27034
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
mongodb mongodb From 8.1.0 (inc) to 8.1.2 (inc)
mongodb mongodb From 8.1.0 (inc) to 8.1.2 (inc)
mongodb mongodb From 8.1.0 (inc) to 8.1.2 (inc)
mongodb mongodb From 8.1.0 (inc) to 8.1.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-NVD-CWE-noinfo
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability allows an authorized user to cause a crash in the MongoDB Server by using a specially crafted $group query. It is due to incorrect handling of certain accumulator functions when additional parameters are specified within the $group operation.

Impact Analysis

The vulnerability can lead to a denial of service (DoS) condition if the specially crafted $group query is triggered repeatedly, causing the MongoDB Server to crash.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your MongoDB Server to a fixed version. Specifically, update to MongoDB Server v6.0.25 or later, v7.0.22 or later, v8.0.12 or later, or v8.1.2 or later, depending on your current version. Avoid running specially crafted $group queries from authorized users until the update is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10061. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart