CVE-2025-6706
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-6706
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-6706.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-6706
- Aliases
- Downstream
- Published
- 2025-06-26T14:15:35Z
- Modified
- 2025-09-17T05:21:56.034399Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
An authenticated user may trigger a use after free that may result in MongoDB Server crash and other unexpected behavior, even if the user does not have authorization to shut down a server. The crash is triggered on affected versions by issuing an aggregation framework operation using a specific combination of rarely-used aggregation pipeline expressions. This issue affects MongoDB Server v6.0 version prior to 6.0.21, MongoDB Server v7.0 version prior to 7.0.17 and MongoDB Server v8.0 version prior to 8.0.4 when the SBE engine is enabled.
- References
Affected packages
Git / github.com/mongodb/mongo
Affected versions
r6.*
r6.0.0
r6.0.1
r6.0.1-rc0
r6.0.10
r6.0.10-rc0
r6.0.11
r6.0.11-rc0
r6.0.12
r6.0.12-rc0
r6.0.12-rc1
r6.0.13
r6.0.13-rc0
r6.0.14
r6.0.14-rc0
r6.0.14-rc1
r6.0.15
r6.0.15-rc0
r6.0.16
r6.0.16-rc0
r6.0.17
r6.0.17-rc0
r6.0.18
r6.0.18-rc0
r6.0.19
r6.0.2
r6.0.2-rc0
r6.0.2-rc1
r6.0.20
r6.0.20-rc0
r6.0.20-rc1
r6.0.20-rc2
r6.0.20-rc3
r6.0.3
r6.0.3-rc0
r6.0.3-rc1
r6.0.3-rc2
r6.0.4
r6.0.4-rc0
r6.0.4-rc1
r6.0.5
r6.0.5-rc0
r6.0.5-rc1
r6.0.6
r6.0.6-rc0
r6.0.6-rc1
r6.0.7
r6.0.7-rc0
r6.0.8
r6.0.8-rc0
r6.0.9
r6.0.9-rc0
r6.0.9-rc1
Database specific
{
"vanir_signatures": [
{
"source": "https://github.com/mongodb/mongo/commit/f4184f18fe405b75258e85a8554481128fb46410",
"digest": {
"function_hash": "324731960150289540980834762556588772295",
"length": 11998.0
},
"deprecated": false,
"id": "CVE-2025-6706-02da7f08",
"target": {
"file": "src/mongo/db/query/classic_stage_builder.cpp",
"function": "ClassicStageBuilder::build"
},
"signature_version": "v1",
"signature_type": "Function"
},
{
"source": "https://github.com/mongodb/mongo/commit/f4184f18fe405b75258e85a8554481128fb46410",
"digest": {
"function_hash": "74721346382742554427103070829589351717",
"length": 355.0
},
"deprecated": false,
"id": "CVE-2025-6706-04aca510",
"target": {
"file": "src/mongo/db/query/plan_enumerator.cpp",
"function": "PlanEnumerator::getNext"
},
"signature_version": "v1",
"signature_type": "Function"
},
{
"source": "https://github.com/mongodb/mongo/commit/f4184f18fe405b75258e85a8554481128fb46410",
"digest": {
"function_hash": "6750677528220597691009422494444808667",
"length": 5055.0
},
"deprecated": false,
"id": "CVE-2025-6706-0ca6dbf5",
"target": {
"file": "src/mongo/db/query/planner_ixselect.cpp",
"function": "QueryPlannerIXSelect::_compatible"
},
"signature_version": "v1",
"signature_type": "Function"
},
{
"source": "https://github.com/mongodb/mongo/commit/f4184f18fe405b75258e85a8554481128fb46410",
"digest": {
"threshold": 0.9,
"line_hashes": [
"10066572042982452419190648275880004759",
"198010942107892612119844421222233465981",
"238555843601584275087869651267173119853",
"218292219009861977983067820021497983774"
]
},
"deprecated": false,
"id": "CVE-2025-6706-10d73161",
"target": {
"file": "src/mongo/db/query/planner_ixselect.cpp"
},
"signature_version": "v1",
"signature_type": "Line"
},
{
"source": "https://github.com/mongodb/mongo/commit/f4184f18fe405b75258e85a8554481128fb46410",
"digest": {
"threshold": 0.9,
"line_hashes": [
"323675016611822908901520286437579331970",
"134018369373461896889428775379890327204",
"110060140195004104665048901947222996114",
"49252125840708939910580577962037129759"
]
},
"deprecated": false,
"id": "CVE-2025-6706-320a26f6",
"target": {
"file": "src/mongo/db/commands/getmore_cmd.cpp"
},
"signature_version": "v1",
"signature_type": "Line"
},
{
"source": "https://github.com/mongodb/mongo/commit/f4184f18fe405b75258e85a8554481128fb46410",
"digest": {
"threshold": 0.9,
"line_hashes": [
"74480530075972489207882079862334429764",
"76410312924971237751169851963874629808",
"79022626286008810693439777307702037688",
"63471234647693922887625181921846898126",
"213512571532026548196990037065560722984",
"216953702257803626192425694834763335091",
"184599858042867205163347561657227639026",
"334283130975759149651470692416758486813",
"143946319678917081822532102637446812885",
"238540202553349890141274583720274765758"
]
},
"deprecated": false,
"id": "CVE-2025-6706-34accfc1",
"target": {
"file": "src/mongo/db/query/plan_executor_factory.cpp"
},
"signature_version": "v1",
"signature_type": "Line"
},
{
"source": "https://github.com/mongodb/mongo/commit/f4184f18fe405b75258e85a8554481128fb46410",
"digest": {
"threshold": 0.9,
"line_hashes": [
"325934018512381950537697277337436246001",
"182718589902973117584251429550925210539",
"7436171749258214253947874812145720868",
"116396899814353271616125903432356141976"
]
},
"deprecated": false,
"id": "CVE-2025-6706-3dfd0052",
"target": {
"file": "src/mongo/db/commands/run_aggregate.cpp"
},
"signature_version": "v1",
"signature_type": "Line"
},
{
"source": "https://github.com/mongodb/mongo/commit/f4184f18fe405b75258e85a8554481128fb46410",
"digest": {
"function_hash": "315579720131735595828496019705066544473",
"length": 3655.0
},
"deprecated": false,
"id": "CVE-2025-6706-450be5e7",
"target": {
"file": "src/mongo/db/commands/run_aggregate.cpp",
"function": "handleCursorCommand"
},
"signature_version": "v1",
"signature_type": "Function"
},
{
"source": "https://github.com/mongodb/mongo/commit/f4184f18fe405b75258e85a8554481128fb46410",
"digest": {
"threshold": 0.9,
"line_hashes": [
"53195843026111884998938521343974374173",
"230237911581286265848288504352558145943",
"209305753029730154019924762943689408857",
"188278831708682375185310562172448117050"
]
},
"deprecated": false,
"id": "CVE-2025-6706-46b55b85",
"target": {
"file": "src/mongo/db/query/classic_stage_builder.cpp"
},
"signature_version": "v1",
"signature_type": "Line"
},
{
"source": "https://github.com/mongodb/mongo/commit/f4184f18fe405b75258e85a8554481128fb46410",
"digest": {
"threshold": 0.9,
"line_hashes": [
"117996222717711035934246435470014861681",
"134503435815170199102225179521540750073",
"186482670758146755212771325428210146174",
"175448674506301054507302686564081847271"
]
},
"deprecated": false,
"id": "CVE-2025-6706-5db5e3f0",
"target": {
"file": "src/mongo/db/query/query_stats/query_stats.cpp"
},
"signature_version": "v1",
"signature_type": "Line"
},
{
"source": "https://github.com/mongodb/mongo/commit/f4184f18fe405b75258e85a8554481128fb46410",
"digest": {
"threshold": 0.9,
"line_hashes": [
"239760245189374196199053087318019641219",
"166658240041078105533858403956415681461",
"184613860848971087935595557361706193125",
"21627686114844893390008975237787558063",
"270299295809016924007056676644411041761",
"164457883294828323493140586031241570462",
"184613860848971087935595557361706193125",
"21627686114844893390008975237787558063"
]
},
"deprecated": false,
"id": "CVE-2025-6706-649dcc19",
"target": {
"file": "src/mongo/db/query/expression_index.cpp"
},
"signature_version": "v1",
"signature_type": "Line"
},
{
"source": "https://github.com/mongodb/mongo/commit/f4184f18fe405b75258e85a8554481128fb46410",
"digest": {
"function_hash": "330353328274016122203123709077513116764",
"length": 1499.0
},
"deprecated": false,
"id": "CVE-2025-6706-73db0d9b",
"target": {
"file": "src/mongo/db/query/sbe_stage_builder_index_scan.cpp",
"function": "makeIntervalsFromIndexBounds"
},
"signature_version": "v1",
"signature_type": "Function"
},
{
"source": "https://github.com/mongodb/mongo/commit/f4184f18fe405b75258e85a8554481128fb46410",
"digest": {
"threshold": 0.9,
"line_hashes": [
"9363958036791989920855153754359125296",
"212614258808394553218503732579496811630",
"324828096798884775161546544166307853114",
"311240997386380183087492118537665622982"
]
},
"deprecated": false,
"id": "CVE-2025-6706-7f149475",
"target": {
"file": "src/mongo/db/query/plan_enumerator.cpp"
},
"signature_version": "v1",
"signature_type": "Line"
},
{
"source": "https://github.com/mongodb/mongo/commit/f4184f18fe405b75258e85a8554481128fb46410",
"digest": {
"threshold": 0.9,
"line_hashes": [
"205050424898769862710277687559331953608",
"108188596002158574450440502237856818599",
"21459500346659147619504989491625648974",
"23316749593539662910705972082917395804"
]
},
"deprecated": false,
"id": "CVE-2025-6706-9e183a45",
"target": {
"file": "src/mongo/db/commands/distinct.cpp"
},
"signature_version": "v1",
"signature_type": "Line"
},
{
"source": "https://github.com/mongodb/mongo/commit/f4184f18fe405b75258e85a8554481128fb46410",
"digest": {
"function_hash": "271326683273544982550950067365164714652",
"length": 8399.0
},
"deprecated": false,
"id": "CVE-2025-6706-a5fa4151",
"target": {
"file": "src/mongo/db/commands/find_cmd.cpp",
"function": "run"
},
"signature_version": "v1",
"signature_type": "Function"
},
{
"source": "https://github.com/mongodb/mongo/commit/f4184f18fe405b75258e85a8554481128fb46410",
"digest": {
"function_hash": "18683832206106765511076032648809337438",
"length": 552.0
},
"deprecated": false,
"id": "CVE-2025-6706-a791dd5f",
"target": {
"file": "src/mongo/db/query/plan_executor_factory.cpp",
"function": "make"
},
"signature_version": "v1",
"signature_type": "Function"
},
{
"source": "https://github.com/mongodb/mongo/commit/f4184f18fe405b75258e85a8554481128fb46410",
"digest": {
"function_hash": "127231367950262132446204453201931301605",
"length": 418.0
},
"deprecated": false,
"id": "CVE-2025-6706-ba6bb206",
"target": {
"file": "src/mongo/db/query/expression_index.cpp",
"function": "ExpressionMapping::S2CellIdsToIntervals"
},
"signature_version": "v1",
"signature_type": "Function"
},
{
"source": "https://github.com/mongodb/mongo/commit/f4184f18fe405b75258e85a8554481128fb46410",
"digest": {
"function_hash": "198790066288247663210850446148914273963",
"length": 812.0
},
"deprecated": false,
"id": "CVE-2025-6706-c0854628",
"target": {
"file": "src/mongo/db/query/expression_index.cpp",
"function": "ExpressionMapping::S2CellIdsToIntervalsWithParents"
},
"signature_version": "v1",
"signature_type": "Function"
},
{
"source": "https://github.com/mongodb/mongo/commit/f4184f18fe405b75258e85a8554481128fb46410",
"digest": {
"threshold": 0.9,
"line_hashes": [
"305366697272645678512491038926620382457",
"267277981781185756058943621693643061891",
"327333684406704850282880008980341516469",
"90672606295781307607942416164877328061"
]
},
"deprecated": false,
"id": "CVE-2025-6706-d8fdb3ce",
"target": {
"file": "src/mongo/db/commands/find_cmd.cpp"
},
"signature_version": "v1",
"signature_type": "Line"
},
{
"source": "https://github.com/mongodb/mongo/commit/f4184f18fe405b75258e85a8554481128fb46410",
"digest": {
"function_hash": "7584353214389406896055162675308718886",
"length": 1998.0
},
"deprecated": false,
"id": "CVE-2025-6706-de645406",
"target": {
"file": "src/mongo/db/commands/getmore_cmd.cpp",
"function": "generateBatch"
},
"signature_version": "v1",
"signature_type": "Function"
},
{
"source": "https://github.com/mongodb/mongo/commit/f4184f18fe405b75258e85a8554481128fb46410",
"digest": {
"threshold": 0.9,
"line_hashes": [
"207116781706962205856707717630023094228",
"135169221765852504545383737733425835422",
"51443341853513551633927610171554928141",
"245965675408929541120275929136782993672",
"250754446376793506390399135194343105764"
]
},
"deprecated": false,
"id": "CVE-2025-6706-e46308c7",
"target": {
"file": "src/mongo/db/query/sbe_stage_builder_index_scan.cpp"
},
"signature_version": "v1",
"signature_type": "Line"
}
]
}