CVE-2025-14345
BaseFortify
Publication date: 2025-12-09
Last updated on: 2025-12-11
Assigner: MongoDB, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mongodb | mongodb_server | 8.0 |
| mongodb | mongodb_server | 7.0 |
| mongodb | mongodb_server | 8.2 |
| mongodb | mongodb | From 7.0.0 (inc) to 7.0.26 (inc) |
| mongodb | mongodb | 8.3.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-667 | The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a post-authentication flaw in the network two-phase commit protocol used for cross-shard transactions in MongoDB Server. Under specific, unpredictable conditions that last for a very short time, the transaction coordination logic may mistakenly consider a transaction as committed when it is not, leading to logical data inconsistencies across shards.
How can this vulnerability impact me? :
The vulnerability can cause logical data inconsistencies in MongoDB Server, resulting in low integrity and availability impact. This means that data across different shards may become inconsistent, potentially affecting the reliability and correctness of your data and applications relying on it.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade MongoDB Server to version 8.0.16 or later if you are using the 8.0 series, version 7.0.26 or later if you are using the 7.0 series, or version 8.2.2 or later if you are using the 8.2 series.