Malformed KMIP response may result in access violation_CVE-2025-12657

5.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

Description

The KMIP response parser built into mongo binaries is overly tolerant of certain malformed packets, and may parse them into invalid objects. Later reads of this object can result in read access violations.

Basic Information

ID CVE-2025-12657

Source mongodb

Published Nov 3, 2025 at 21:03

Modified Nov 3, 2025 at 21:26

Affected Product

Vendor MongoDB Inc.

Product MongoDB Server

Version 6.0

Affected Versions MongoDB Inc. MongoDB Server 6.0
MongoDB Inc. MongoDB Server 8.0

CWE Classification

CWE-754

References

jira.mongodb.org /browse/SERVER-101230

{
    "lastseen": "",
    "description": "The KMIP response parser built into mongo binaries is overly tolerant of certain malformed packets, and may parse them into invalid objects. Later reads of this object can result in read access violations.",
    "published": "2025-11-03T21:03:25.384Z",
    "modified": "2025-11-03T21:26:22.750Z",
    "type": "cve",
    "title": "Malformed KMIP response may result in access violation",
    "source": "mongodb",
    "references": "https://jira.mongodb.org/browse/SERVER-101230",
    "id": "CVE-2025-12657",
    "bulletinFamily": "",
    "cwe": [
        "CWE-754"
    ],
    "cvelist": null,
    "sourceData": "MongoDB Inc. MongoDB Server 6.0\nMongoDB Inc. MongoDB Server 8.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "MongoDB Server",
    "version": "6.0",
    "vendor": "MongoDB Inc.",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}