CVE-2025-11695

Configuration may unexpectedly disable certificate validation

CVSS 8 HIGHEPSS 0.2%CWE-295

In short

The MongoDB Rust Driver disables certificate validation when a specific configuration setting is used, even though the setting's name suggests the opposite. This allows attackers to intercept encrypted connections without being detected.

Technical detail

CWE-295: Improper Certificate Validation. When tlsInsecure=False is configured in connection strings for MongoDB Rust Driver versions <3.2.5, SSL/TLS certificate validation is unexpectedly disabled, enabling man-in-the-middle attacks on database connections. The vulnerability stems from inverted logic in configuration parsing.

Summary generated and translated by AI from the official description.

When tlsInsecure=False appears in a connection string, certificate validation is disabled. This vulnerability affects MongoDB Rust Driver versions prior to v3.2.5

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Affected products

MongoDB · Rust Driver

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://jira.mongodb.org/browse/RUST-2264