CVE-2025-10059 – An improper handling of the lsid field in shard... (How to Fix)

Q: What is the severity of CVE-2025-10059?

CVE-2025-10059 has a CVSS score of 6.5 (MEDIUM). An improper handling of the lsid field in sharded queries can cause MongoDB routers to crash when this field is provided in contexts where it's not applicable. This affects MongoDB Server versions 6.0 (prior to patched versions), 7.0 (prior to 7.0.18), and 8.0 (prior to 8.0.6). The vulnerability allows denial of service through router crashes.

📋 TL;DR

An improper handling of the lsid field in sharded queries can cause MongoDB routers to crash when this field is provided in contexts where it's not applicable. This affects MongoDB Server versions 6.0 (prior to patched versions), 7.0 (prior to 7.0.18), and 8.0 (prior to 8.0.6). The vulnerability allows denial of service through router crashes.

💻 Affected Systems

Products:

MongoDB Server

Versions: MongoDB Server v6.0 (prior to patched versions), v7.0 (prior to 7.0.18), v8.0 (prior to 8.0.6)

Operating Systems: All platforms running affected MongoDB versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects MongoDB deployments using sharding; standalone deployments are not vulnerable. The vulnerability is in the router (mongos) component.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete unavailability of MongoDB sharded cluster due to cascading router crashes, causing extended service disruption and data access issues.

🟠

Likely Case

Intermittent router crashes leading to temporary service degradation, failed queries, and potential connection drops for applications.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring allowing quick detection and restart of affected routers.

🌐 Internet-Facing: MEDIUM - Attackers could potentially trigger crashes if they can send crafted queries to exposed MongoDB routers, but requires specific knowledge of the vulnerability.

🏢 Internal Only: MEDIUM - Internal users or compromised accounts could exploit this to cause service disruption, though impact is limited to denial of service.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires sending specific malformed queries to MongoDB routers. No authentication bypass is involved, but any user with query permissions could potentially trigger the crash.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: MongoDB Server v6.0.x (latest patch), v7.0.18, v8.0.6

Vendor Advisory: https://jira.mongodb.org/browse/SERVER-100901

Restart Required: Yes

Instructions:

1. Identify affected MongoDB routers (mongos instances). 2. Download and install the patched version for your MongoDB release. 3. Restart all mongos instances. 4. Verify the fix by checking version and monitoring for crashes.

🔧 Temporary Workarounds

Restrict query permissions

all

Limit which users can execute queries on sharded collections to reduce attack surface.

db.grantRolesToUser("username", [{role: "read", db: "database"}]) // Example: grant minimal necessary roles

Network segmentation

linux

Restrict network access to MongoDB routers to only trusted application servers.

iptables -A INPUT -p tcp --dport 27017 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 27017 -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit who can connect to MongoDB routers
Deploy monitoring and alerting for mongos process crashes with automated restart capabilities

🔍 How to Verify

Check if Vulnerable:

Check MongoDB version on all mongos instances: db.version() and verify if it's in affected range (v6.0 prior to patches, v7.0 < 7.0.18, v8.0 < 8.0.6)

Check Version:

mongosh --eval "db.version()" or connect to mongos and run db.version()

Verify Fix Applied:

After patching, verify version is at or above: v6.0.x (latest), v7.0.18, or v8.0.6. Monitor mongos logs for absence of crash reports related to lsid handling.

📡 Detection & Monitoring

Log Indicators:

Mongos process crash logs
Error messages containing 'lsid' or 'sharded query' in mongod/mongos logs
Unexpected termination of mongos processes

Network Indicators:

Sudden drop in MongoDB router connections
Increased failed query responses from mongos instances

SIEM Query:

source="mongodb.log" AND ("crash" OR "aborted" OR "lsid") AND process="mongos"

📊 Metadata

CVE ID: CVE-2025-10059

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-732

EPSS Score: 0.05% exploit probability (15.7th percentile)

Published: September 5, 2025

Last Updated: September 22, 2025

🔗 References

https://jira.mongodb.org/browse/SERVER-100901 Issue Tracking,Vendor Advisory
https://jira.mongodb.org/browse/SERVER-100909 Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10059, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Mongodb by Mongodb

Mongodb by Mongodb

Mongodb by Mongodb

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict query permissions

Network segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities