Use-after-free in the MongoDB server query planner may lead to...

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Description

An authorized user may crash the MongoDB server by causing buffer over-read. This can be done by issuing a DDL operation while queries are being issued, under some conditions. This issue affects MongoDB Server v7.0 versions prior to 7.0.25, MongoDB Server v8.0 versions prior to 8.0.15, and MongoDB Server version 8.2.0.

Basic Information

ID CVE-2025-11979

Source mongodb

Published Oct 20, 2025 at 17:47

Modified Oct 20, 2025 at 20:21

Affected Product

Vendor MongoDB Inc.

Product Server

Version 8.2.0

Affected Versions MongoDB Inc. Server 8.2.0
MongoDB Inc. Server 8.0.0
MongoDB Inc. Server 7.0.0

CWE Classification

CWE-416

References

jira.mongodb.org /browse/SERVER-105873

{
    "lastseen": "",
    "description": "An authorized user may crash the MongoDB server by causing buffer over-read. This can be done by issuing a DDL operation while queries are being issued, under some conditions. This issue affects MongoDB Server v7.0 versions prior to 7.0.25, MongoDB Server v8.0 versions prior to 8.0.15, and MongoDB Server version 8.2.0.",
    "published": "2025-10-20T17:47:57.947Z",
    "modified": "2025-10-20T20:21:27.265Z",
    "type": "cve",
    "title": "Use-after-free in the MongoDB server query planner may lead to crash or undefined behavior",
    "source": "mongodb",
    "references": "https://jira.mongodb.org/browse/SERVER-105873",
    "id": "CVE-2025-11979",
    "bulletinFamily": "",
    "cwe": [
        "CWE-416"
    ],
    "cvelist": null,
    "sourceData": "MongoDB Inc. Server 8.2.0\nMongoDB Inc. Server 8.0.0\nMongoDB Inc. Server 7.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Server",
    "version": "8.2.0",
    "vendor": "MongoDB Inc.",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Use-after-free in the MongoDB server query planner may lead to crash or undefined behavior_CVE-2025-11979