CVE-2025-13644 Overview
CVE-2025-13644 is a denial-of-service vulnerability in MongoDB Server triggered by batched delete operations. The server incorrectly assumes multiple documents exist in a batch when a single document exceeds BSONObjMaxSize. This faulty assumption triggers an invariant failure, causing the server process to terminate. The flaw is classified as a reachable assertion [CWE-617] and affects MongoDB Server v7.0 versions prior to 7.0.26, v8.0 versions prior to 8.0.13, and v8.1 versions prior to 8.1.2. An authenticated attacker with low privileges can exploit the issue over the network to crash the database service.
Critical Impact
An authenticated attacker can crash a MongoDB Server instance by issuing crafted batched delete operations involving oversized documents, resulting in service disruption.
Affected Products
- MongoDB Server v7.0 prior to 7.0.26
- MongoDB Server v8.0 prior to 8.0.13
- MongoDB Server v8.1 prior to 8.1.2
Discovery Timeline
- 2025-11-25 - CVE-2025-13644 published to NVD
- 2025-12-11 - Last updated in NVD database
Technical Details for CVE-2025-13644
Vulnerability Analysis
The vulnerability resides in MongoDB Server's handling of batched delete operations. During processing, the server inspects document size to make decisions about batch composition. When a document's serialized size exceeds the BSONObjMaxSize limit, the server incorrectly infers that the batch contains multiple documents. This incorrect inference violates an internal invariant. The invariant check then fails, causing the server to terminate the process abnormally.
The issue is a reachable assertion failure cataloged under [CWE-617]. Such failures convert an unexpected internal state into a hard crash rather than a recoverable error. Because the trigger condition depends only on document size during a delete batch, an authenticated client with permission to delete documents can reliably crash the server. Repeated exploitation prevents legitimate clients from completing read or write operations against the affected instance.
Root Cause
The defect originates in the batched delete code path. The logic conflates the condition "document size exceeds BSONObjMaxSize" with "multiple documents present in the batch." These two conditions are not equivalent. When the server processes a single oversized document, the internal state diverges from what subsequent code assumes, and the invariant fires.
Attack Vector
The attack is network-reachable and requires authenticated access with privileges sufficient to issue delete operations. No user interaction is required. The attacker submits a batched delete command that causes the server to evaluate a document whose size exceeds BSONObjMaxSize. The resulting invariant failure terminates the mongod process. Confidentiality and integrity are not affected, but availability is impacted because the database becomes unreachable until the process restarts.
No verified public exploit code is available for CVE-2025-13644. Refer to the MongoDB Jira Issue SERVER-101180 for vendor technical details.
Detection Methods for CVE-2025-13644
Indicators of Compromise
- Unexpected mongod process termination with invariant failure messages in server logs referencing batched delete code paths.
- Repeated client-side errors or connection resets correlated with delete operations against collections containing large documents.
- Cluster failover events or replica set step-downs immediately following batched delete commands.
Detection Strategies
- Parse MongoDB server logs for Invariant failure strings and stack traces involving delete batch processing functions.
- Inspect the audit log for delete commands issued by low-privilege accounts immediately prior to a process crash.
- Monitor for mongod exit codes that indicate abnormal termination rather than graceful shutdown.
Monitoring Recommendations
- Alert on mongod process restarts and correlate timestamps with recent delete command activity.
- Track operation metrics for spikes in failed delete commands or oversized document write attempts.
- Forward MongoDB logs to a centralized analytics platform to enable correlation across replica set members.
How to Mitigate CVE-2025-13644
Immediate Actions Required
- Upgrade MongoDB Server to version 7.0.26, 8.0.13, 8.1.2, or later as appropriate for the deployed release line.
- Audit role assignments and remove unnecessary delete privileges from application and user accounts.
- Restrict network exposure of MongoDB instances to trusted application tiers only.
Patch Information
MongoDB has released fixed versions addressing the invariant failure. Apply MongoDB Server 7.0.26 for the 7.0 branch, 8.0.13 for the 8.0 branch, or 8.1.2 for the 8.1 branch. Track the vendor advisory at MongoDB Jira Issue SERVER-101180 for additional release notes and downstream patch availability.
Workarounds
- Enforce application-level validation to reject delete operations that target documents approaching BSONObjMaxSize.
- Apply role-based access control to limit which accounts can execute batched delete commands.
- Place MongoDB behind a network policy that restricts access to vetted client subnets until patches are deployed.
# Verify installed MongoDB Server version and plan upgrade
mongod --version
# Example: review users with delete privileges in the mongo shell
use admin
db.system.users.find({ "roles.role": { $in: ["readWrite", "dbOwner", "root"] } })
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
