CVE-2025-6713
Publication date 7 July 2025
Last updated 18 February 2026
Ubuntu priority
Description
An unauthorized user may leverage a specially crafted aggregation pipeline to access data without proper authorization due to improper handling of the $mergeCursors stage in MongoDB Server. This may lead to access to data without further authorisation. This issue affects MongoDB Server MongoDB Server v8.0 versions prior to 8.0.7, MongoDB Server v7.0 versions prior to 7.0.19 and MongoDB Server v6.0 versions prior to 6.0.22
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| mongodb | 25.10 questing | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal |
Vulnerable, fix deferred
|
|
| 18.04 LTS bionic |
Vulnerable, fix deferred
|
|
| 16.04 LTS xenial |
Vulnerable, fix deferred
|
|
| 14.04 LTS trusty |
Vulnerable, fix deferred
|
Notes
john-breton
As of 2026-02-18, upstream has not posted a patch for this issue. Even if they did, due to the SSPL license for MongoDB we would be unable to use the patch to address this vulnerability in Ubuntu. The hope is a license-compliant third-party will make patches available in the future.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.7 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Changed |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |