CVE-2025-12893
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-25

Last updated on: 2025-12-05

Assigner: MongoDB, Inc.

Description
Clients may successfully perform a TLS handshake with a MongoDB server despite presenting a client certificate not aligning with the documented Extended Key Usage (EKU) requirements. A certificate that specifies extendedKeyUsage but is missing extendedKeyUsage = clientAuth may still be successfully authenticated via the TLS handshake as a client. This issue is specific to MongoDB servers running on Windows or Apple as the expected validation behavior functions correctly on Linux systems. Additionally, MongoDB servers may successfully establish egress TLS connections with servers that present server certificates not aligning with the documented Extended Key Usage (EKU) requirements. A certificate that specifies extendedKeyUsage but is missing extendedKeyUsage = serverAuth may still be successfully authenticated via the TLS handshake as a server. This issue is specific to MongoDB servers running on Apple as the expected validation behavior functions correctly on both Linux and Windows systems. This vulnerability affects MongoDB Server v7.0 versions prior to 7.0.26, MongoDB Server v8.0 versions prior to 8.0.16 and MongoDB Server v8.2 versions prior to 8.2.2
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-25
Last Modified
2025-12-05
Generated
2026-05-07
AI Q&A
2025-11-25
EPSS Evaluated
2026-05-05
NVD
CVE-2025-12893
EUVD
EUVD-2025-199532
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
mongodb mongodb From 7.0.0 (inc) to 7.0.26 (exc)
mongodb mongodb From 8.0.0 (inc) to 8.0.16 (exc)
mongodb mongodb From 8.2.0 (inc) to 8.2.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability allows clients to successfully perform a TLS handshake with a MongoDB server even if their client certificate does not meet the documented Extended Key Usage (EKU) requirements. Specifically, a certificate missing the required 'clientAuth' EKU can still be authenticated as a client on MongoDB servers running on Windows or Apple. Similarly, MongoDB servers on Apple can establish TLS connections with servers presenting certificates missing the 'serverAuth' EKU. This means the expected certificate validation is bypassed on these platforms.


How can this vulnerability impact me? :

This vulnerability can impact you by allowing unauthorized or improperly validated certificates to be accepted during TLS handshakes with MongoDB servers on Windows or Apple platforms. This could potentially allow unauthorized clients or servers to connect securely, undermining the intended security controls and possibly exposing sensitive data or systems to unauthorized access.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart