CVE-2025-6710 Overview
MongoDB Server contains a stack overflow vulnerability in its JSON parsing mechanism. Specifically crafted JSON inputs can induce excessive levels of recursion, leading to stack space exhaustion. This vulnerability can cause the server to crash and may be exploitable without authentication in affected versions, resulting in denial of service conditions.
Critical Impact
Pre-authentication denial of service attack vector in MongoDB Server v7.0 and v8.0 that can crash database servers through malicious JSON payloads.
Affected Products
- MongoDB Server v7.0 versions prior to 7.0.17
- MongoDB Server v8.0 versions prior to 8.0.5
- MongoDB Server v6.0 versions prior to 6.0.21 (requires authentication to exploit)
Discovery Timeline
- 2025-06-26 - CVE-2025-6710 published to NVD
- 2025-09-15 - Last updated in NVD database
Technical Details for CVE-2025-6710
Vulnerability Analysis
This vulnerability stems from improper handling of recursive JSON structures within MongoDB's parsing engine (CWE-674: Uncontrolled Recursion). The JSON parser fails to implement adequate depth limits when processing nested JSON objects or arrays. When an attacker submits a deeply nested JSON document, the parser recursively descends through each level, consuming stack space with each recursive call until the stack is exhausted.
The attack surface varies by MongoDB version. In versions 7.0 (prior to 7.0.17) and 8.0 (prior to 8.0.5), the vulnerability can be triggered pre-authentication, meaning any network-accessible MongoDB instance is at risk. Version 6.0 (prior to 6.0.21) requires the attacker to first authenticate before exploiting the flaw, reducing but not eliminating the risk.
Root Cause
The root cause is uncontrolled recursion in MongoDB's JSON parsing code. The parser lacks proper bounds checking for recursion depth when processing deeply nested JSON structures. Each level of nesting adds a new stack frame, and without limits, an attacker can craft input that exceeds the available stack space, triggering a stack overflow and subsequent server crash.
Attack Vector
The attack is network-based and requires no user interaction. An attacker can send a maliciously crafted JSON document with extreme nesting depth to the MongoDB server. The JSON parsing mechanism processes this input recursively, consuming stack memory until exhaustion occurs. This causes the MongoDB server process to crash, resulting in denial of service.
For versions 7.0 and 8.0, the attack can be executed without valid credentials, making internet-exposed MongoDB instances particularly vulnerable. The attack requires only the ability to send network traffic to the MongoDB port and craft a JSON payload with sufficient nesting depth to exhaust stack space.
Detection Methods for CVE-2025-6710
Indicators of Compromise
- MongoDB server process crashes with stack overflow errors in logs
- Repeated server restarts or unexplained service interruptions
- Abnormally large or deeply nested JSON documents in network traffic to MongoDB ports
- Stack-related error messages in MongoDB logs such as segmentation faults or stack exhaustion warnings
Detection Strategies
- Monitor MongoDB logs for crash events with stack-related error signatures
- Implement network-level inspection for JSON payloads with excessive nesting depth targeting MongoDB ports (default 27017)
- Deploy application-level monitoring to track incoming request sizes and complexity metrics
- Use SentinelOne Singularity to detect anomalous process behavior and crash patterns associated with stack overflow exploitation
Monitoring Recommendations
- Enable verbose logging on MongoDB instances to capture pre-crash conditions
- Configure alerting for MongoDB service interruptions or repeated restarts
- Monitor network traffic for unusually structured JSON payloads destined for database servers
- Implement rate limiting on MongoDB connections to reduce the impact of repeated exploitation attempts
How to Mitigate CVE-2025-6710
Immediate Actions Required
- Upgrade MongoDB Server v7.0 to version 7.0.17 or later
- Upgrade MongoDB Server v8.0 to version 8.0.5 or later
- Upgrade MongoDB Server v6.0 to version 6.0.21 or later
- Restrict network access to MongoDB instances using firewall rules to limit exposure
- Ensure MongoDB is not directly exposed to the internet without authentication and access controls
Patch Information
MongoDB has released patched versions that address this stack overflow vulnerability. The fixes implement proper recursion depth limits in the JSON parsing mechanism. Refer to MongoDB Jira Issue SERVER-106749 for detailed patch information and release notes. Organizations should prioritize upgrading to the fixed versions immediately, especially for internet-facing deployments.
Workarounds
- Place MongoDB instances behind a reverse proxy or application layer that validates and limits JSON nesting depth before forwarding requests
- Implement network segmentation to prevent untrusted sources from directly accessing MongoDB servers
- Enable authentication on all MongoDB instances to require credentials before processing requests (mitigates pre-auth exploitation in v7.0/v8.0)
- Use firewall rules to restrict MongoDB port access to trusted IP addresses only
# Example: Restrict MongoDB access using iptables
iptables -A INPUT -p tcp --dport 27017 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 27017 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
