Incorrect Permission Assignment for Critical Resource
CVE-2025-10059
Summary
An improper setting of the 'lsid' field on any sharded query can cause a crash in MongoDB routers. This issue occurs when a generic argument (lsid) is provided in a case when it is not applicable. This affects MongoDB Server v6.0.x versions prior to 6.0.24, MongoDB Server v7.0.x versions prior to 7.0.18 , MongoDB Server v8.0.x versions prior to 8.0.6 and MongoDB Server v8.1.x versions prior to 8.1.0-rc0.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- LOW
- NONE
- HIGH
CWE-732 - Incorrect Permission Assignment for Critical Resource
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
Advisory Timeline
- Published
