CVE-2025-3083: Malformed MongoDB wire protocol messages may cause mongos to crash
First published: Tue Apr 01 2025(Updated: )
Specifically crafted MongoDB wire protocol messages can cause mongos to crash during command validation. This can occur without using an authenticated connection. This issue affects MongoDB v5.0 versions prior to 5.0.31, MongoDB v6.0 versions prior to 6.0.20 and MongoDB v7.0 versions prior to 7.0.16
Credit: cna@mongodb.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| MongoDB | <5.0.31 | |
| MongoDB | <6.0.20 | |
| MongoDB | <7.0.16 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2025-3083?
CVE-2025-3083 is classified as a critical vulnerability due to its potential to crash the MongoDB mongos process.
How do I fix CVE-2025-3083?
To remediate CVE-2025-3083, upgrade to MongoDB version 5.0.31, 6.0.20, or later for version 7.0.
Which versions of MongoDB are affected by CVE-2025-3083?
MongoDB v5.0 versions prior to 5.0.31, v6.0 versions prior to 6.0.20, and v7.0 versions before 7.0.16 are affected by CVE-2025-3083.
Can CVE-2025-3083 be exploited using an unauthenticated connection?
Yes, CVE-2025-3083 can be exploited without using an authenticated connection.
What impact does CVE-2025-3083 have on MongoDB operations?
CVE-2025-3083 can lead to unexpected crashes of the mongos process during command validation, disrupting database operations.
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/references
- agent/title
- agent/first-publish-date
- agent/type
- agent/description
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/author
- agent/severity
- agent/event
- collector/epss-latest
- source/FIRST
- agent/source
- agent/tags
- agent/epss
- vendor/mongodb
- canonical/mongodb