CVE-2025-14345

EUVD-2025-201945

09.12.2025, 16:17

A post-authentication flaw in the network two-phase commit protocol used for cross-shard transactions in MongoDB Server may lead to logical data inconsistencies under specific conditions which are not predictable and exist for a very short period of time. This error can cause the transaction coordination logic to misinterpret the transaction as committed, resulting in inconsistent state on those shards. This may lead to low integrity and availability impact.

This issue impacts MongoDB Server v8.0 versions prior to 8.0.16, MongoDB Server v7.0 versions prior to 7.0.26 and MongoDB server v8.2 versions prior to 8.2.2.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.2 MEDIUM	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
mongodb	CNA	4.2 MEDIUM	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 15%

Affected Products (NVD)

Vendor	Product	Version
mongodb	mongodb	7.0.0 ≤ 𝑥 < 7.0.26
mongodb	mongodb	8.0.0 ≤ 𝑥 < 8.0.16
mongodb	mongodb	8.2.0 ≤ 𝑥 < 8.2.2
mongodb	mongodb	8.3.0:alpha0

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

mongodb

bionic	deferred
focal	deferred
jammy	dne
noble	dne
plucky	dne
questing	dne
trusty	deferred
xenial	deferred

Common Weakness Enumeration

CWE-667 - Improper Locking
The software does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.

References

https://jira.mongodb.org/browse/SERVER-106075