MongoDB Server up to 6.0.24/7.0.21/8.0.11/8.1.1 Accumulator group denial of service

Summaryinfo

A vulnerability described as problematic has been identified in MongoDB Server up to 6.0.24/7.0.21/8.0.11/8.1.1. This issue affects some unknown processing of the component Accumulator Handler. Such manipulation of the argument group leads to denial of service. This vulnerability is traded as CVE-2025-10061. The attack may be launched remotely. There is no exploit available. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability was found in MongoDB Server up to 6.0.24/7.0.21/8.0.11/8.1.1. It has been rated as problematic. Affected by this issue is an unknown code block of the component Accumulator Handler. The manipulation of the argument group with an unknown input leads to a denial of service vulnerability. Using CWE to declare the problem leads to CWE-404. The product does not release or incorrectly releases a resource before it is made available for re-use. Impacted is availability. CVE summarizes:

An authorized user can cause a crash in the MongoDB Server through a specially crafted $group query. This vulnerability is related to the incorrect handling of certain accumulator functions when additional parameters are specified within the $group operation. This vulnerability could lead to denial of service if triggered repeatedly. This issue affects MongoDB Server v6.0 versions prior to 6.0.25, MongoDB Server v7.0 versions prior to 7.0.22, MongoDB Server v8.0 versions prior to 8.0.12 and MongoDB Server v8.1 versions prior to 8.1.2

The advisory is shared for download at jira.mongodb.org. This vulnerability is handled as CVE-2025-10061 since 09/05/2025. The exploitation is known to be easy. The attack may be launched remotely. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1499.

The vulnerability scanner Nessus provides a plugin with the ID 264354 (Linux Distros Unpatched Vulnerability : CVE-2025-10061), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 6.0.25, 7.0.22, 8.0.12 or 8.1.2 eliminates this vulnerability.

The vulnerability is also documented in the databases at Tenable (264354) and EUVD (EUVD-2025-27034). Once again VulDB remains the best source for vulnerability data.

Productinfo

Type

• Database Software

Vendor

• MongoDB

Name

• Server

Version

• 6.0.0
• 6.0.1
• 6.0.2
• 6.0.3
• 6.0.4
• 6.0.5
• 6.0.6
• 6.0.7
• 6.0.8
• 6.0.9
• 6.0.10
• 6.0.11
• 6.0.12
• 6.0.13
• 6.0.14
• 6.0.15
• 6.0.16
• 6.0.17
• 6.0.18
• 6.0.19
• 6.0.20
• 6.0.21
• 6.0.22
• 6.0.23
• 6.0.24
• 7.0.0
• 7.0.1
• 7.0.2
• 7.0.3
• 7.0.4
• 7.0.5
• 7.0.6
• 7.0.7
• 7.0.8
• 7.0.9
• 7.0.10
• 7.0.11
• 7.0.12
• 7.0.13
• 7.0.14
• 7.0.15
• 7.0.16
• 7.0.17
• 7.0.18
• 7.0.19
• 7.0.20
• 7.0.21
• 8.0.0
• 8.0.1
• 8.0.2
• 8.0.3
• 8.0.4
• 8.0.5
• 8.0.6
• 8.0.7
• 8.0.8
• 8.0.9
• 8.0.10
• 8.0.11
• 8.1.0
• 8.1.1

License

• open-source

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion