CVE-2025-6713

MongoDB Server may be susceptible to privilege escalation due to $mergeCursors stage

Description

An unauthorized user may leverage a specially crafted aggregation pipeline to access data without proper authorization due to improper handling of the $mergeCursors stage in MongoDB Server. This may lead to access to data without further authorisation. This issue affects MongoDB Server MongoDB Server v8.0 versions prior to 8.0.7, MongoDB Server v7.0 versions prior to 7.0.19 and MongoDB Server v6.0 versions prior to 6.0.22

INFO

Published Date :

2025-07-07T14:46:36.201Z

Last Modified :

2025-07-18T05:50:23.153Z

Source :

mongodb

AFFECTED PRODUCTS

The following products are affected by CVE-2025-6713 vulnerability.

Vendors	Products
Mongodb	Mongodb

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-6713.

URL	Resource
https://jira.mongodb.org/browse/SERVER-106752

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact