Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Fixed
Priority: Major - P3
Fix Version/s: 8.1.0-rc0, 5.0.31, 8.0.5, 6.0.24, 7.0.21
Affects Version/s: None
Component/s: None
Labels:
None

Assigned Teams:

Server Security
Backwards Compatibility:
Fully Compatible
Operating System:
ALL
Backport Requested:

v8.0, v7.3, v7.0, v6.0, v5.0
Sprint:
Security 2024-08-19
Linked BF Score:
0
Confidence Status:
None
Work Order:
3

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

CVE ID:

CVE-2025-6707

Title:

Race condition in privilege cache invalidation cycle

Description:

Under certain conditions, an authenticated user request may execute with stale privileges following an intentional change by an authorized administrator. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.24, MongoDB Server v7.0 version prior to 7.0.21 and MongoDB Server v8.0 version prior to 8.0.5.

CVSS Score:

4.2 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

List all affected product versions:

MongoDB Server v5.0 version prior to 5.0.31

MongoDB Server v6.0 version prior to 6.0.24

MongoDB Server v7.0 version prior to 7.0.21
MongoDB Server v8.0 version prior to 8.0.5

CWE:

CWE-863: Incorrect Authorization

is depended on by

SERVER-93027 Add more logging to user_cache_invalidation.js

Closed

is related to

SERVER-93616 Improve testing of user cache invalidation

Closed

Assignee:: Gabriel Marks
Reporter:: Gabriel Marks
Participants:: Gabriel Marks, Githook User
Votes:: 0 Vote for this issue
Watchers:: 5 Start watching this issue

Created:: Aug 12 2024 07:52:36 PM UTC
Updated:: Jun 26 2025 02:04:31 PM UTC
Resolved:: Aug 15 2024 08:32:13 PM UTC
Confidence Status Last Update:: 13/Aug/24 3:41 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates