Login Sign Up

CVE-2025-3085

8.1 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows improper authentication in MongoDB servers when TLS with CRL revocation checking is enabled on Linux systems. It affects MongoDB X509 authentication and intra-cluster authentication by failing to validate intermediate certificate revocation status. Only MongoDB servers running on Linux with specific TLS configurations are vulnerable.

💻 Affected Systems

Products:
  • MongoDB Server
Versions: v5.0 before 5.0.31, v6.0 before 6.0.20, v7.0 before 7.0.16, v8.0 before 8.0.4
Operating Systems: Linux
Default Config Vulnerable: ✅ No
Notes: Requires Linux OS, TLS with CRL revocation checking enabled, and MONGODB-X509 authentication (not default)

📦 What is this software?

Mongodb by Mongodb

View all CVEs affecting Mongodb →

Mongodb by Mongodb

View all CVEs affecting Mongodb →

Mongodb by Mongodb

View all CVEs affecting Mongodb →

Mongodb by Mongodb

View all CVEs affecting Mongodb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could bypass authentication using revoked intermediate certificates, gaining unauthorized access to MongoDB databases and potentially compromising sensitive data or cluster integrity.

🟠

Likely Case

Unauthorized access to MongoDB instances using X509 authentication or intra-cluster communication, leading to data exposure or manipulation.

🟢

If Mitigated

Limited impact due to specific configuration requirements; proper certificate management and network segmentation reduce attack surface.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires revoked intermediate certificates and specific TLS configuration; MONGODB-X509 authentication not enabled by default

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v5.0.31, v6.0.20, v7.0.16, v8.0.4

Vendor Advisory: https://jira.mongodb.org/browse/SERVER-95445

Restart Required: Yes

Instructions:

1. Identify MongoDB version. 2. Upgrade to patched version: 5.0.31, 6.0.20, 7.0.16, or 8.0.4. 3. Restart MongoDB service. 4. Verify fix with version check.

🔧 Temporary Workarounds

Disable CRL revocation checking

linux

Temporarily disable Certificate Revocation List checking in TLS configuration

Modify mongod.conf: set tlsCRLFile to empty or remove tlsCRLFile parameter

Disable MONGODB-X509 authentication

linux

Disable X509 authentication if not required

Modify mongod.conf: remove or comment out authenticationMechanisms: MONGODB-X509

🧯 If You Can't Patch

  • Disable CRL revocation checking in TLS configuration
  • Disable MONGODB-X509 authentication mechanism

🔍 How to Verify

Check if Vulnerable:

Check MongoDB version and configuration: 1. Run 'mongod --version'. 2. Check mongod.conf for tlsCRLFile and authenticationMechanisms settings.

Check Version:

mongod --version | grep 'db version'

Verify Fix Applied:

1. Confirm MongoDB version is patched (5.0.31+, 6.0.20+, 7.0.16+, or 8.0.4+). 2. Verify CRL checking works with intermediate certificates.

📡 Detection & Monitoring

Log Indicators:

  • Authentication failures with X509 certificates
  • Unexpected successful authentications from unknown certificates

Network Indicators:

  • TLS connections using intermediate certificates
  • Intra-cluster authentication attempts

SIEM Query:

source="mongodb" AND (event="authentication" OR event="connection") AND certificate_chain="intermediate"

📊 Metadata

CVE ID: CVE-2025-3085
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-299
EPSS Score: 0.16% exploit probability (37.1th percentile)
Published: April 1, 2025
Last Updated: September 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-3085, you might also want to check these:

CVE-2024-56138 4.0

This vulnerability in notation-go allows attackers to use revoked or compromised certificates to gen...

Same vulnerability type (CWE-299)