CVE-2025-12893
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-12893, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-11-25

Last updated on: 2025-12-05

Assigner: MongoDB, Inc.

Description

Clients may successfully perform a TLS handshake with a MongoDB server despite presenting a client certificate not aligning with the documented Extended Key Usage (EKU) requirements. A certificate that specifies extendedKeyUsage but is missing extendedKeyUsage = clientAuth may still be successfully authenticated via the TLS handshake as a client. This issue is specific to MongoDB servers running on Windows or Apple as the expected validation behavior functions correctly on Linux systems. Additionally, MongoDB servers may successfully establish egress TLS connections with servers that present server certificates not aligning with the documented Extended Key Usage (EKU) requirements. A certificate that specifies extendedKeyUsage but is missing extendedKeyUsage = serverAuth may still be successfully authenticated via the TLS handshake as a server. This issue is specific to MongoDB servers running on Apple as the expected validation behavior functions correctly on both Linux and Windows systems. This vulnerability affects MongoDB Server v7.0 versions prior to 7.0.26, MongoDB Server v8.0 versions prior to 8.0.16 and MongoDB Server v8.2 versions prior to 8.2.2

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-11-25
Last Modified
2025-12-05
Generated
2026-07-06
AI Q&A
2025-11-25
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
mongodb mongodb From 7.0.0 (inc) to 7.0.26 (exc)
mongodb mongodb From 8.0.0 (inc) to 8.0.16 (exc)
mongodb mongodb From 8.2.0 (inc) to 8.2.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability allows clients to successfully perform a TLS handshake with a MongoDB server even if their client certificate does not meet the documented Extended Key Usage (EKU) requirements. Specifically, a certificate missing the required 'clientAuth' EKU can still be authenticated as a client on MongoDB servers running on Windows or Apple. Similarly, MongoDB servers on Apple can establish TLS connections with servers presenting certificates missing the 'serverAuth' EKU. This means the expected certificate validation is bypassed on these platforms.

Impact Analysis

This vulnerability can impact you by allowing unauthorized or improperly validated certificates to be accepted during TLS handshakes with MongoDB servers on Windows or Apple platforms. This could potentially allow unauthorized clients or servers to connect securely, undermining the intended security controls and possibly exposing sensitive data or systems to unauthorized access.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12893. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart