MongoDB Windows installation MSI may leave ACLs unset on custom...

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

The MongoDB Windows installation MSI may leave ACLs unset on custom installation directories allowing a local attacker to introduce executable code to MongoDB's process via DLL hijacking. This issue affects MongoDB Server v6.0 version prior to 6.0.25, MongoDB Server v7.0 version prior to 7.0.21 and MongoDB Server v8.0 version prior to 8.0.5

Basic Information

ID CVE-2025-10491

Source mongodb

Published Sep 15, 2025 at 16:04

Affected Product

Vendor MongoDB Inc

Product MongoDB Server

Version 6.0

Affected Versions MongoDB Inc MongoDB Server 6.0
MongoDB Inc MongoDB Server 7.0
MongoDB Inc MongoDB Server 8.0

CWE Classification

CWE-284

References

jira.mongodb.org /browse/SERVER-51366

{
    "lastseen": "",
    "description": "The MongoDB Windows installation MSI may leave ACLs unset on custom installation directories allowing a local attacker to introduce executable code to MongoDB's process via DLL hijacking. This issue affects MongoDB Server v6.0 version prior to 6.0.25, MongoDB Server v7.0 version prior to 7.0.21 and MongoDB Server v8.0 version prior to 8.0.5",
    "published": "2025-09-15T16:04:54.221Z",
    "modified": "2025-09-15T16:04:54.221Z",
    "type": "cve",
    "title": "MongoDB Windows installation MSI may leave ACLs unset on custom installation directories",
    "source": "mongodb",
    "references": "https://jira.mongodb.org/browse/SERVER-51366",
    "id": "CVE-2025-10491",
    "bulletinFamily": "",
    "cwe": [
        "CWE-284"
    ],
    "cvelist": null,
    "sourceData": "MongoDB Inc MongoDB Server 6.0\nMongoDB Inc MongoDB Server 7.0\nMongoDB Inc MongoDB Server 8.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "MongoDB Server",
    "version": "6.0",
    "vendor": "MongoDB Inc",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

MongoDB Windows installation MSI may leave ACLs unset on custom installation directories_CVE-2025-10491