CVE-2025-14345

Published: Dec 9, 2025

Modified: Dec 9, 2025

PUBLISHED

CVSS v3.1

4.2

MEDIUM

Description

A post-authentication flaw in the network two-phase commit protocol used for cross-shard transactions in MongoDB Server may lead to logical data inconsistencies under specific conditions which are not predictable and exist for a very short period of time. This error can cause the transaction coordination logic to misinterpret the transaction as committed, resulting in inconsistent state on those shards. This may lead to low integrity and availability impact. This issue impacts MongoDB Server v8.0 versions prior to 8.0.16, MongoDB Server v7.0 versions prior to 7.0.26 and MongoDB server v8.2 versions prior to 8.2.2.

Vendor	Product	Versions
MongoDB Inc.	MongoDB Server	affected `7.0 - < 7.0.26` affected `8.0 - < 8.0.16` affected `8.2 - < 8.2.2`

Weaknesses (CWE)

CWE-667

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

References

https://jira.mongodb.org/browse/SERVER-106075

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-14345

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References