CVE-2025-3084: MongoDB Server may crash due to improper validation of explain command
First published: Tue Apr 01 2025(Updated: )
When run on commands with certain arguments set, explain may fail to validate these arguments before using them. This can lead to crashes in router servers. This affects MongoDB Server v5.0 prior to 5.0.31, MongoDB Server v6.0 prior to 6.0.20, MongoDB Server v7.0 prior to 7.0.16 and MongoDB Server v8.0 prior to 8.0.4
Credit: cna@mongodb.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| MongoDB | <5.0.31 | |
| MongoDB | <6.0.20 | |
| MongoDB | <7.0.16 | |
| MongoDB | <8.0.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2025-3084?
CVE-2025-3084 has a high severity rating due to its potential to cause crashes in MongoDB servers.
How do I fix CVE-2025-3084?
To fix CVE-2025-3084, upgrade your MongoDB Server to version 5.0.31 or higher, 6.0.20 or higher, or 7.0.16 or higher.
Which versions of MongoDB are affected by CVE-2025-3084?
CVE-2025-3084 affects MongoDB Server versions prior to 5.0.31, 6.0.20, and 7.0.16.
What causes the vulnerability in CVE-2025-3084?
The vulnerability in CVE-2025-3084 is caused by the failure of the explain command to properly validate certain command arguments.
What impact does CVE-2025-3084 have on MongoDB servers?
CVE-2025-3084 can lead to crashes of MongoDB router servers when specific invalid arguments are processed.
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/references
- agent/title
- agent/first-publish-date
- agent/type
- agent/description
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/author
- agent/last-modified-date
- agent/severity
- agent/event
- collector/epss-latest
- source/FIRST
- agent/source
- agent/tags
- agent/epss
- vendor/mongodb
- canonical/mongodb