CVE-2025-14345
📋 TL;DR
A post-authentication flaw in MongoDB's two-phase commit protocol for cross-shard transactions can cause logical data inconsistencies under specific, unpredictable conditions. This may lead to misinterpretation of transaction status, resulting in inconsistent data states across shards. Affected users are those running vulnerable MongoDB Server versions with cross-shard transactions enabled.
💻 Affected Systems
- MongoDB Server
📦 What is this software?
Mongodb by Mongodb
Mongodb by Mongodb
Mongodb by Mongodb
Mongodb by Mongodb
⚠️ Risk & Real-World Impact
Worst Case
Critical transaction data becomes inconsistent across shards, leading to data corruption, application errors, and potential business logic failures.
Likely Case
Occasional data inconsistencies in cross-shard transactions requiring manual intervention or application-level reconciliation.
If Mitigated
Minimal impact with proper monitoring and application-level transaction validation.
🎯 Exploit Status
Exploitation requires authenticated access, specific transaction timing, and cross-shard transaction usage.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v8.0.16, v7.0.26, v8.2.2
Vendor Advisory: https://jira.mongodb.org/browse/SERVER-106075
Restart Required: Yes
Instructions:
1. Download patched version from MongoDB website. 2. Stop MongoDB service. 3. Install updated version. 4. Restart MongoDB service. 5. Verify version with mongod --version.
🔧 Temporary Workarounds
Disable cross-shard transactions
allTemporarily disable cross-shard transactions if not essential for operations
// Application-level configuration change required
🧯 If You Can't Patch
- Implement application-level transaction validation and reconciliation logic
- Increase monitoring for transaction consistency errors and implement alerting
🔍 How to Verify
Check if Vulnerable:
Check MongoDB version and verify if cross-shard transactions are enabled in deploymentCheck Version:
mongod --versionVerify Fix Applied:
Confirm version is 8.0.16+, 7.0.26+, or 8.2.2+ and monitor for transaction consistency issues📡 Detection & Monitoring
Log Indicators:
- Transaction coordinator errors
- Cross-shard transaction consistency warnings
- Unexpected transaction rollbacks
Network Indicators:
- Increased transaction coordinator communication errors
SIEM Query:
source="mongodb.log" AND ("transaction coordinator" OR "cross-shard") AND (error OR warning OR rollback)