CVE-2025-10061
📋 TL;DR
An authorized MongoDB user can cause a denial of service by sending specially crafted $group queries with certain accumulator functions. This vulnerability affects MongoDB Server versions 6.0 before 6.0.25, 7.0 before 7.0.22, 8.0 before 8.0.12, and 8.1 before 8.1.2.
💻 Affected Systems
- MongoDB Server
📦 What is this software?
Mongodb by Mongodb
Mongodb by Mongodb
Mongodb by Mongodb
Mongodb by Mongodb
⚠️ Risk & Real-World Impact
Worst Case
Repeated exploitation could cause sustained service outages, disrupting database operations and dependent applications.
Likely Case
Authorized users could crash MongoDB instances, causing temporary service disruption until restart.
If Mitigated
With proper access controls and monitoring, impact is limited to authorized users who would be accountable for such actions.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of specific $group query syntax with accumulator functions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.0.25, 7.0.22, 8.0.12, 8.1.2 or later
Vendor Advisory: https://jira.mongodb.org/browse/SERVER-99616
Restart Required: No
Instructions:
1. Identify affected MongoDB instances. 2. Download and install the patched version for your release series. 3. Apply the update following MongoDB's upgrade procedures. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict $group query permissions
allLimit which users can execute $group operations through role-based access control
db.createRole({ role: "restrictedGroup", privileges: [{ resource: { db: "", collection: "" }, actions: ["find", "insert", "update", "remove"] }], roles: [] })
db.grantRolesToUser("username", ["restrictedGroup"])
🧯 If You Can't Patch
- Implement strict access controls to limit who can execute $group queries
- Monitor for unusual $group query patterns and implement rate limiting on queries
🔍 How to Verify
Check if Vulnerable:
Check MongoDB version with db.version() and compare against affected versionsCheck Version:
db.version()Verify Fix Applied:
Verify version is 6.0.25+, 7.0.22+, 8.0.12+, or 8.1.2+📡 Detection & Monitoring
Log Indicators:
- Unusual $group query patterns
- MongoDB process crashes or restarts
- Error logs related to accumulator functions
Network Indicators:
- Repeated $group queries from single sources
- Query patterns matching known exploit syntax
SIEM Query:
source="mongodb.log" AND "$group" AND ("accumulator" OR "crash" OR "error")