MongoDB Server up to 7.0.25/8.0.12/8.1.1 Batched Delete assertion

Summaryinfo

A vulnerability labeled as problematic has been found in MongoDB Server up to 7.0.25/8.0.12/8.1.1. This affects an unknown part of the component Batched Delete Handler. Such manipulation leads to assertion. This vulnerability is traded as CVE-2025-13644. The attack may be launched remotely. There is no exploit available. The affected component should be upgraded.

Detailsinfo

A vulnerability, which was classified as problematic, has been found in MongoDB Server up to 7.0.25/8.0.12/8.1.1. Affected by this issue is an unknown part of the component Batched Delete Handler. The manipulation with an unknown input leads to a assertion vulnerability. Using CWE to declare the problem leads to CWE-617. The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. Impacted is availability. CVE summarizes:

MongoDB Server may experience an invariant failure during batched delete operations when handling documents. The issue arises when the server mistakenly assumes the presence of multiple documents in a batch based solely on document size exceeding BSONObjMaxSize. This issue affects MongoDB Server v7.0 versions prior to 7.0.26, MongoDB Server v8.0 versions prior to 8.0.13, and MongoDB Server v8.1 versions prior to 8.1.2

The advisory is available at jira.mongodb.org. This vulnerability is handled as CVE-2025-13644 since 11/25/2025. The exploitation is known to be easy. The attack may be launched remotely. The technical details are unknown and an exploit is not available.

The vulnerability scanner Nessus provides a plugin with the ID 276962 (Linux Distros Unpatched Vulnerability : CVE-2025-13644), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 7.0.26, 8.0.13 or 8.1.2 eliminates this vulnerability.

The vulnerability is also documented in the databases at Tenable (276962) and EUVD (EUVD-2025-199552). If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Type

• Database Software

Vendor

• MongoDB

Name

• Server

Version

• 7.0.0
• 7.0.1
• 7.0.2
• 7.0.3
• 7.0.4
• 7.0.5
• 7.0.6
• 7.0.7
• 7.0.8
• 7.0.9
• 7.0.10
• 7.0.11
• 7.0.12
• 7.0.13
• 7.0.14
• 7.0.15
• 7.0.16
• 7.0.17
• 7.0.18
• 7.0.19
• 7.0.20
• 7.0.21
• 7.0.22
• 7.0.23
• 7.0.24
• 7.0.25
• 8.0.0
• 8.0.1
• 8.0.2
• 8.0.3
• 8.0.4
• 8.0.5
• 8.0.6
• 8.0.7
• 8.0.8
• 8.0.9
• 8.0.10
• 8.0.11
• 8.0.12
• 8.1.0
• 8.1.1

License

• open-source

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion