CVE-2025-13644 – MongoDB Server may crash due to an invariant fa... (How to Fix)

Q: What is the severity of CVE-2025-13644?

CVE-2025-13644 has a CVSS score of 6.5 (MEDIUM). MongoDB Server may crash due to an invariant failure during batched delete operations when handling documents. The server incorrectly assumes multiple documents exist in a batch based on document size exceeding BSONObjMaxSize, leading to a denial of service. This affects MongoDB Server v7.0 prior to 7.0.26, v8.0 prior to 8.0.13, and v8.1 prior to 8.1.2.

📋 TL;DR

MongoDB Server may crash due to an invariant failure during batched delete operations when handling documents. The server incorrectly assumes multiple documents exist in a batch based on document size exceeding BSONObjMaxSize, leading to a denial of service. This affects MongoDB Server v7.0 prior to 7.0.26, v8.0 prior to 8.0.13, and v8.1 prior to 8.1.2.

💻 Affected Systems

Products:

MongoDB Server

Versions: v7.0.0 to v7.0.25, v8.0.0 to v8.0.12, v8.1.0 to v8.1.1

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is triggered during specific batched delete operations with large documents.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server crash leading to sustained denial of service, requiring manual restart and potentially causing data corruption or loss.

🟠

Likely Case

Server crash resulting in temporary denial of service until automatic or manual restart, with possible transaction disruption.

🟢

If Mitigated

Minimal impact with proper monitoring and automated restart mechanisms in place.

🌐 Internet-Facing: MEDIUM - Exploitable via authenticated database operations, but requires specific batched delete operations.

🏢 Internal Only: MEDIUM - Same exploit requirements, but reduced attack surface compared to internet-facing deployments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated database access and specific batched delete operations to trigger the invariant failure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v7.0.26, v8.0.13, v8.1.2

Vendor Advisory: https://jira.mongodb.org/browse/SERVER-101180

Restart Required: Yes

Instructions:

1. Download the patched version from MongoDB's official website. 2. Stop the MongoDB service. 3. Backup your data. 4. Install the patched version. 5. Restart the MongoDB service. 6. Verify the version is updated.

🔧 Temporary Workarounds

Disable batched delete operations

all

Prevent the use of batched delete operations that could trigger the vulnerability.

Configure application code to avoid batched delete operations with large documents.

Document size monitoring

all

Monitor and limit document sizes to prevent exceeding BSONObjMaxSize thresholds.

Implement application-level validation to reject documents exceeding size limits.

🧯 If You Can't Patch

Implement strict access controls to limit who can perform delete operations.
Deploy monitoring and alerting for server crashes with automated restart capabilities.

🔍 How to Verify

Check if Vulnerable:

Check MongoDB version using 'mongod --version' or 'db.version()' in mongo shell and compare against affected ranges.

Check Version:

mongod --version

Verify Fix Applied:

After patching, verify version is v7.0.26+, v8.0.13+, or v8.1.2+ and test batched delete operations with large documents.

📡 Detection & Monitoring

Log Indicators:

Server crash logs with invariant failure messages
Unexpected termination of mongod process
Error logs mentioning batched delete operations

Network Indicators:

Sudden drop in database connectivity
Increased failed connection attempts

SIEM Query:

source="mongodb.log" AND ("invariant failure" OR "batched delete" OR "Fatal assertion")

📊 Metadata

CVE ID: CVE-2025-13644

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-617

EPSS Score: 0.08% exploit probability (23th percentile)

Published: November 25, 2025

Last Updated: December 11, 2025

🔗 References

https://jira.mongodb.org/browse/SERVER-101180 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13644, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Mongodb by Mongodb

Mongodb by Mongodb

Mongodb by Mongodb

Mongodb by Mongodb

Mongodb by Mongodb

Mongodb by Mongodb

Mongodb by Mongodb

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable batched delete operations

Document size monitoring

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities