Login Sign Up

CVE-2025-12119

6.8 MEDIUM
Denial of Service

📋 TL;DR

This vulnerability in MongoDB C driver allows reading invalid memory when large options are passed to mongoc_bulk_operation_t functions. This affects applications using MongoDB C driver, PHP driver, or related bindings. The issue could lead to crashes or information disclosure.

💻 Affected Systems

Products:
  • MongoDB C Driver
  • MongoDB PHP Driver
  • Applications using these drivers
Versions: C Driver: <1.30.6, <2.1.2; PHP Driver: <1.21.2
Operating Systems: All platforms where affected drivers are used
Default Config Vulnerable: ⚠️ Yes
Notes: Applications must use bulk operations with large options to trigger the vulnerability.

📦 What is this software?

C Driver by Mongodb

View all CVEs affecting C Driver →

C Driver by Mongodb

View all CVEs affecting C Driver →

Php Driver by Mongodb

View all CVEs affecting Php Driver →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if combined with other vulnerabilities, or sensitive memory disclosure.

🟠

Likely Case

Application crashes leading to denial of service, or limited memory disclosure.

🟢

If Mitigated

No impact if proper input validation and size limits are enforced.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires ability to pass large options to bulk operations, typically requiring application-level access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: C Driver: 1.30.6 or 2.1.2; PHP Driver: 1.21.2

Vendor Advisory: https://github.com/mongodb/mongo-c-driver/releases/tag/1.30.6

Restart Required: Yes

Instructions:

1. Identify affected MongoDB driver versions. 2. Update to patched versions: mongo-c-driver >=1.30.6 or >=2.1.2, mongo-php-driver >=1.21.2. 3. Restart applications using the drivers.

🔧 Temporary Workarounds

Input validation for bulk operation options

all

Implement application-level validation to limit size of options passed to mongoc_bulk_operation_t functions.

🧯 If You Can't Patch

  • Implement strict input validation to reject large options in bulk operations.
  • Isolate affected systems from untrusted networks and monitor for crashes.

🔍 How to Verify

Check if Vulnerable:

Check installed driver versions: libmongoc version for C driver, php -m | grep mongodb for PHP driver.

Check Version:

C Driver: pkg-config --modversion libmongoc-1.0; PHP: php -i | grep mongodb

Verify Fix Applied:

Verify updated versions: libmongoc >=1.30.6 or >=2.1.2, PHP mongodb extension >=1.21.2.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes related to MongoDB bulk operations
  • Memory access violation errors in logs

Network Indicators:

  • Unusual MongoDB query patterns with large payloads

SIEM Query:

source="application_logs" AND ("segmentation fault" OR "memory violation" OR "mongoc_bulk")

📊 Metadata

CVE ID: CVE-2025-12119
CVSS v3 Score: 6.8 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
CWE: CWE-825
EPSS Score: 0.01% exploit probability (0.5th percentile)
Published: November 18, 2025
Last Updated: January 14, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12119, you might also want to check these:

CVE-2024-23310 9.8

A use-after-free vulnerability in libbiosig's sopen_FAMOS_read function allows arbitrary code execut...

Same vulnerability type (CWE-825)
CVE-2025-49794 9.1

A use-after-free vulnerability in libxml2 allows attackers to crash applications or cause undefined ...

Same vulnerability type (CWE-825)
CVE-2023-20212 7.5

A memory management logic error in ClamAV's AutoIt module allows remote attackers to cause denial of...

Same vulnerability type (CWE-825)