CVE-2025-11695
BaseFortify
Publication date: 2025-10-13
Last updated on: 2025-12-04
Assigner: MongoDB, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mongodb | rust_driver | to 3.2.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs when the tlsInsecure=False setting is used in a connection string for the MongoDB Rust Driver. In this case, certificate validation is disabled, which means the driver does not verify the authenticity of the TLS certificates, potentially allowing man-in-the-middle attacks or other security risks.
How can this vulnerability impact me? :
Disabling certificate validation can expose your application to man-in-the-middle attacks, where an attacker could intercept or alter data transmitted between your application and the database. This can lead to data breaches, unauthorized data access, and compromise of data integrity and confidentiality.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
Disabling certificate validation undermines the security of data in transit, which can lead to unauthorized access or data breaches. This can result in non-compliance with data protection regulations such as GDPR and HIPAA, which require appropriate safeguards to protect sensitive data.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that the connection string does not include tlsInsecure=False, thereby enabling certificate validation. Additionally, upgrade the MongoDB Rust Driver to version 3.2.5 or later where this issue is fixed.