CVE-2025-12657 – MongoDB's KMIP response parser accepts malforme... (How to Fix)

Q: What is the severity of CVE-2025-12657?

CVE-2025-12657 has a CVSS score of 5.0 (MEDIUM). MongoDB's KMIP response parser accepts malformed packets that create invalid objects, causing read access violations when accessed. This affects MongoDB instances using KMIP for key management. The vulnerability could lead to denial of service or information disclosure.

📋 TL;DR

MongoDB's KMIP response parser accepts malformed packets that create invalid objects, causing read access violations when accessed. This affects MongoDB instances using KMIP for key management. The vulnerability could lead to denial of service or information disclosure.

💻 Affected Systems

Products:

MongoDB

Versions: Specific versions not provided in reference; check MongoDB advisory for affected versions

Operating Systems: All platforms running affected MongoDB versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when KMIP (Key Management Interoperability Protocol) is configured and used for encryption key management.

📦 What is this software?

Mongodb by Mongodb

View all CVEs affecting Mongodb →

Mongodb by Mongodb

View all CVEs affecting Mongodb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Denial of service causing MongoDB instance crash, potentially leading to data unavailability or information disclosure through memory access violations.

🟠

Likely Case

Service disruption or instability when malformed KMIP packets are processed, requiring restart of affected MongoDB instances.

🟢

If Mitigated

Minimal impact if KMIP is not used or if network controls prevent malicious KMIP traffic.

🌐 Internet-Facing: MEDIUM - Requires KMIP to be exposed and accessible to attackers, which is less common than standard MongoDB ports.

🏢 Internal Only: MEDIUM - Internal attackers with KMIP access could disrupt MongoDB services or cause instability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires ability to send malformed KMIP packets to MongoDB instance, which typically requires network access to KMIP port and knowledge of KMIP protocol.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check MongoDB security advisory for specific fixed versions

Vendor Advisory: https://jira.mongodb.org/browse/SERVER-101230

Restart Required: Yes

Instructions:

1. Check MongoDB security advisory for affected versions. 2. Upgrade to patched version. 3. Restart MongoDB service. 4. Verify KMIP functionality post-upgrade.

🔧 Temporary Workarounds

Disable KMIP if not required

all

Remove KMIP configuration if encryption key management doesn't require it

Modify mongod.conf to remove KMIP configuration
Restart MongoDB service

Network segmentation for KMIP

all

Restrict KMIP port access to trusted key management servers only

Configure firewall rules to restrict access to KMIP port (typically 5696)

🧯 If You Can't Patch

Implement strict network controls to limit KMIP port access to authorized key management servers only
Monitor KMIP traffic for anomalies and implement rate limiting if possible

🔍 How to Verify

Check if Vulnerable:

Check MongoDB version and KMIP configuration. If using KMIP and running affected version, system is vulnerable.

Check Version:

mongod --version

Verify Fix Applied:

Verify MongoDB version is updated to patched version and KMIP functionality works correctly after restart.

📡 Detection & Monitoring

Log Indicators:

MongoDB crash logs
Access violation errors in MongoDB logs
KMIP parsing errors

Network Indicators:

Unusual KMIP traffic patterns
KMIP packets from unexpected sources

SIEM Query:

source="mongodb.log" AND ("access violation" OR "crash" OR "KMIP parse")

📊 Metadata

CVE ID: CVE-2025-12657

CVSS v3 Score: 5.0 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:H

CWE: CWE-754

EPSS Score: 0.07% exploit probability (20.9th percentile)

Published: November 3, 2025

Last Updated: December 12, 2025

🔗 References

https://jira.mongodb.org/browse/SERVER-101230 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12657, you might also want to check these: