← back
CVE-2025-13644

MongoDB may be susceptible to Invariant Failure due to batched delete

CVSS 7.1 HIGHEPSS 0.3%CWE-617
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 7.1EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
25 Nov 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
MongoDB Server may experience an invariant failure during batched delete operations when handling documents. The issue arises when the server mistakenly assumes the presence of multiple documents in a batch based solely on document size exceeding BSONObjMaxSize. This issue affects MongoDB Server v7.0 versions prior to 7.0.26, MongoDB Server v8.0 versions prior to 8.0.13, and MongoDB Server v8.1 versions prior to 8.1.2
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Affected products
MongoDB Inc. · MongoDB Server

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://jira.mongodb.org/browse/SERVER-101180