CVE-2025-6707

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-6707
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-6707.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-6707
Aliases
Downstream
Published
2025-06-26T14:15:35Z
Modified
2025-09-17T05:21:42.224Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Under certain conditions, an authenticated user request may execute with stale privileges following an intentional change by an authorized administrator. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.24, MongoDB Server v7.0 version prior to 7.0.21 and MongoDB Server v8.0 version prior to 8.0.5.

References

Affected packages

Git / github.com/mongodb/mongo

Affected ranges

Type
GIT
Repo
https://github.com/mongodb/mongo
Events
Introduced
1184f004a99660de6f5e745573419bda8a28c0e9
Fixed
e8c5dca807cdfef1c9b3141c4c2bcd613d9700e7

Affected versions

r5.*

r5.0.0
r5.0.1
r5.0.1-rc0
r5.0.10
r5.0.10-rc0
r5.0.11
r5.0.11-rc0
r5.0.11-rc1
r5.0.12
r5.0.12-rc0
r5.0.13
r5.0.13-rc0
r5.0.14
r5.0.14-rc0
r5.0.15
r5.0.15-rc0
r5.0.15-rc1
r5.0.15-rc2
r5.0.16
r5.0.16-rc0
r5.0.17
r5.0.17-rc0
r5.0.18
r5.0.18-rc0
r5.0.18-rc1
r5.0.18-rc2
r5.0.19
r5.0.19-rc0
r5.0.2
r5.0.2-rc0
r5.0.20
r5.0.20-rc0
r5.0.20-rc1
r5.0.21
r5.0.21-rc0
r5.0.22
r5.0.22-rc0
r5.0.22-rc1
r5.0.23
r5.0.23-rc0
r5.0.24
r5.0.24-rc0
r5.0.25
r5.0.25-rc0
r5.0.26
r5.0.26-rc0
r5.0.27
r5.0.27-rc0
r5.0.28
r5.0.28-rc0
r5.0.29
r5.0.29-rc0
r5.0.3
r5.0.3-rc0
r5.0.3-rc1
r5.0.3-rc2
r5.0.30
r5.0.31-rc0
r5.0.4
r5.0.4-rc0
r5.0.5
r5.0.5-rc0
r5.0.6
r5.0.6-rc0
r5.0.6-rc1
r5.0.6-rc2
r5.0.7
r5.0.7-rc0
r5.0.7-rc1
r5.0.8
r5.0.8-rc0
r5.0.9
r5.0.9-rc0
r5.0.9-rc1

Database specific 

{
    "vanir_signatures": [
        {
            "target": {
                "file": "src/mongo/db/s/shard_server_op_observer.cpp",
                "function": "ShardServerOpObserver::onCreateCollection"
            },
            "digest": {
                "function_hash": "317059203157195173859428266013583839835",
                "length": 959.0
            },
            "signature_type": "Function",
            "source": "https://github.com/mongodb/mongo/commit/e8c5dca807cdfef1c9b3141c4c2bcd613d9700e7",
            "deprecated": false,
            "id": "CVE-2025-6707-98e95ab3",
            "signature_version": "v1"
        },
        {
            "target": {
                "file": "src/mongo/db/s/shard_server_op_observer.cpp"
            },
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "338095024408874251521027627609623809923",
                    "19517780008182253857358285612128038534",
                    "95532667481650364120857114228697583222",
                    "224358683231941325215866037278555672552"
                ]
            },
            "signature_type": "Line",
            "source": "https://github.com/mongodb/mongo/commit/e8c5dca807cdfef1c9b3141c4c2bcd613d9700e7",
            "deprecated": false,
            "id": "CVE-2025-6707-a50b1d1c",
            "signature_version": "v1"
        }
    ]
}