Login Sign Up

CVE-2025-10060

6.5 MEDIUM
Denial of Service

📋 TL;DR

MongoDB Server may allow upsert operations retried within a transaction to violate unique index constraints, causing an invariant failure and server crash during commit. This affects MongoDB Server v6.0 prior to 6.0.25, v7.0 prior to 7.0.22, and v8.0 prior to 8.0.12. The vulnerability stems from improper WriteUnitOfWork state management.

💻 Affected Systems

Products:
  • MongoDB Server
Versions: v6.0 prior to 6.0.25, v7.0 prior to 7.0.22, v8.0 prior to 8.0.12
Operating Systems: All platforms running affected MongoDB versions
Default Config Vulnerable: ⚠️ Yes
Notes: Requires transactions with upsert operations and retry logic. All deployments using affected versions are vulnerable if using transactions.

📦 What is this software?

Mongodb by Mongodb

View all CVEs affecting Mongodb →

Mongodb by Mongodb

View all CVEs affecting Mongodb →

Mongodb by Mongodb

View all CVEs affecting Mongodb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Server crash leading to denial of service, potential data corruption if crash occurs during critical transactions.

🟠

Likely Case

Server crash requiring restart, temporary service disruption during transaction processing.

🟢

If Mitigated

No impact if patched or if affected operations are avoided.

🌐 Internet-Facing: MEDIUM - Requires specific transaction conditions but could be triggered by malicious queries.
🏢 Internal Only: MEDIUM - Same technical risk but limited to authenticated users with transaction permissions.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires authenticated access and specific transaction conditions. No public exploit available at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v6.0.25, v7.0.22, v8.0.12 or later

Vendor Advisory: https://jira.mongodb.org/browse/SERVER-95524

Restart Required: No

Instructions:

1. Identify affected MongoDB instances. 2. Download and install patched version from MongoDB website. 3. Upgrade following MongoDB's rolling upgrade procedure for replica sets or sharded clusters. 4. Verify version after upgrade.

🔧 Temporary Workarounds

Disable transaction retries

all

Avoid retrying upsert operations within transactions to prevent triggering the vulnerability.

Configure application logic to not retry failed upsert operations in transactions

Avoid upsert in transactions

all

Use separate insert/update operations instead of upsert within transactions.

Modify application code to separate insert and update logic

🧯 If You Can't Patch

  • Implement strict access controls to limit who can execute transactions
  • Monitor for transaction failures and server crashes, implement rapid restart procedures

🔍 How to Verify

Check if Vulnerable:

Check MongoDB version and compare against affected versions. Review if transactions with upsert operations are used.

Check Version:

db.version()

Verify Fix Applied:

Verify MongoDB version is at or above patched versions. Test transaction scenarios that previously caused issues.

📡 Detection & Monitoring

Log Indicators:

  • "Invariant failure" messages in MongoDB logs
  • Unexpected server crashes during transaction commit
  • Error codes related to unique constraint violations

Network Indicators:

  • Sudden drop in MongoDB connections
  • Transaction timeout errors from applications

SIEM Query:

source="mongodb.log" AND ("Invariant failure" OR "Fatal assertion" OR "server crash")

📊 Metadata

CVE ID: CVE-2025-10060
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-672
EPSS Score: 0.3% exploit probability (52.4th percentile)
Published: September 5, 2025
Last Updated: September 18, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10060, you might also want to check these:

CVE-2024-47571 8.1

This vulnerability in Fortinet FortiManager allows attackers with valid credentials to gain improper...

Same vulnerability type (CWE-672)
CVE-2025-55669 7.5

A vulnerability in F5 BIG-IP Advanced WAF and ASM allows undisclosed HTTP/2 traffic to cause the Tra...

Same vulnerability type (CWE-672)
CVE-2025-6031 7.5

Amazon Cloud Cam devices attempt to connect to deprecated infrastructure when powered on, defaulting...

Same vulnerability type (CWE-672)