CVE-2025-6713 – This vulnerability allows unauthorized users to... (How to Fix)

Q: What is the severity of CVE-2025-6713?

CVE-2025-6713 has a CVSS score of 7.7 (HIGH). This vulnerability allows unauthorized users to bypass MongoDB's authorization controls by exploiting a flaw in the $mergeCursors aggregation pipeline stage. Attackers can access data they shouldn't have permission to view. This affects MongoDB Server versions 6.0 before 6.0.22, 7.0 before 7.0.19, and 8.0 before 8.0.7.

📋 TL;DR

This vulnerability allows unauthorized users to bypass MongoDB's authorization controls by exploiting a flaw in the $mergeCursors aggregation pipeline stage. Attackers can access data they shouldn't have permission to view. This affects MongoDB Server versions 6.0 before 6.0.22, 7.0 before 7.0.19, and 8.0 before 8.0.7.

💻 Affected Systems

Products:

MongoDB Server

Versions: 6.0.0-6.0.21, 7.0.0-7.0.18, 8.0.0-8.0.6

Operating Systems: All platforms running affected MongoDB versions

Default Config Vulnerable: ⚠️ Yes

Notes: All MongoDB deployments with authentication enabled are vulnerable. The vulnerability requires an attacker to have some level of database access credentials.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete unauthorized access to all database collections and documents, potentially exposing sensitive data including credentials, personal information, and proprietary business data.

🟠

Likely Case

Unauthorized data access to specific collections or documents that the attacker can target through crafted aggregation queries.

🟢

If Mitigated

Limited impact with proper network segmentation, minimal user privileges, and monitoring of aggregation pipeline usage.

🌐 Internet-Facing: HIGH - MongoDB instances exposed to the internet are directly vulnerable to exploitation attempts.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts could exploit this vulnerability to escalate privileges and access unauthorized data.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires knowledge of MongoDB aggregation pipeline syntax and some level of database access. No public exploit code is currently available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.0.22, 7.0.19, 8.0.7

Vendor Advisory: https://jira.mongodb.org/browse/SERVER-106752

Restart Required: Yes

Instructions:

1. Download the patched version from MongoDB's official website. 2. Stop the MongoDB service. 3. Backup your data and configuration. 4. Install the patched version. 5. Restart the MongoDB service. 6. Verify the version is updated.

🔧 Temporary Workarounds

Disable Aggregation Pipeline

all

Temporarily disable aggregation pipeline functionality if not required for your application

db.adminCommand({setParameter: 1, allowDiskUse: false})
db.adminCommand({setParameter: 1, maxTimeMS: 1000})

Restrict User Privileges

all

Apply principle of least privilege to limit potential damage from exploitation

db.revokeRolesFromUser('username', [ { role: 'readWrite', db: 'database' } ])
db.grantRolesToUser('username', [ { role: 'read', db: 'database' } ])

🧯 If You Can't Patch

Implement strict network access controls to limit MongoDB access to trusted sources only
Enable detailed logging of aggregation pipeline operations and monitor for suspicious queries

🔍 How to Verify

Check if Vulnerable:

Connect to MongoDB and check version: db.version() - if version is between affected ranges, system is vulnerable

Check Version:

db.version()

Verify Fix Applied:

After patching, verify version is 6.0.22, 7.0.19, or 8.0.7 or higher using db.version()

📡 Detection & Monitoring

Log Indicators:

Unusual aggregation pipeline queries
$mergeCursors operations from unexpected users
Authorization failures followed by successful data access

Network Indicators:

Unusual patterns of database queries from single sources
High volume of aggregation pipeline requests

SIEM Query:

source="mongodb.log" AND ("$mergeCursors" OR "aggregation" OR "pipeline") AND (user!="expected_user" OR src_ip!="trusted_ip")

📊 Metadata

CVE ID: CVE-2025-6713

CVSS v3 Score: 7.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CWE: CWE-285

EPSS Score: 0.07% exploit probability (21.5th percentile)

Published: July 7, 2025

Last Updated: October 3, 2025

🔗 References

https://jira.mongodb.org/browse/SERVER-106752 Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-6713, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Mongodb by Mongodb

Mongodb by Mongodb

Mongodb by Mongodb

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Aggregation Pipeline

Restrict User Privileges

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities