CVE-2025-10059

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-10059
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-10059.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-10059
Aliases
Downstream
Published
2025-09-05T21:15:34.773Z
Modified
2026-04-12T17:35:44.583234Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers. This issue occurs when a generic argument (lsid) is provided in a case when it is not applicable. This affects MongoDB Server v6.0 versions prior to 6.0.x, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB Server v8.0 versions prior to 8.0.6.

References

Affected packages

Git / github.com/mongodb/mongo

Affected ranges

Type
GIT
Repo
https://github.com/mongodb/mongo
Events
Introduced
e61bf27c2f6a83fed36e5a13c008a32d563babe2
Fixed
c5423a4f25b3056ee2380ddc4e5e5fc3f5a6afc2
Introduced
37d84072b5c5b9fd723db5fa133fb202ad2317f1
Fixed
01446737d14e8e41feba33b2a5b7538c4b0fdc89
Introduced
b41cda4fe697dce6fd9b83b3805362ccc02fbeb3
Fixed
1726bc39e585c858ed984dc9dce620f43684ed10
Database specific 
{
    "versions": [
        {
            "introduced": "6.0.0"
        },
        {
            "fixed": "6.0.24"
        },
        {
            "introduced": "7.0.0"
        },
        {
            "fixed": "7.0.18"
        },
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "8.0.6"
        }
    ]
}

Affected versions

r6.*
r6.0.0
r6.0.1
r6.0.1-rc0
r6.0.10
r6.0.10-rc0
r6.0.11
r6.0.11-rc0
r6.0.12
r6.0.12-rc0
r6.0.12-rc1
r6.0.13
r6.0.13-rc0
r6.0.14
r6.0.14-rc0
r6.0.14-rc1
r6.0.15
r6.0.15-rc0
r6.0.16
r6.0.16-rc0
r6.0.17
r6.0.17-rc0
r6.0.18
r6.0.18-rc0
r6.0.19
r6.0.2
r6.0.2-rc0
r6.0.2-rc1
r6.0.20
r6.0.20-rc0
r6.0.20-rc1
r6.0.20-rc2
r6.0.20-rc3
r6.0.21
r6.0.24-alpha0
r6.0.3
r6.0.3-rc0
r6.0.3-rc1
r6.0.3-rc2
r6.0.4
r6.0.4-rc0
r6.0.4-rc1
r6.0.5
r6.0.5-rc0
r6.0.5-rc1
r6.0.6
r6.0.6-rc0
r6.0.6-rc1
r6.0.7
r6.0.7-rc0
r6.0.8
r6.0.8-rc0
r6.0.9
r6.0.9-rc0
r6.0.9-rc1
r7.*
r7.0.0
r7.0.1
r7.0.1-rc0
r7.0.10
r7.0.10-rc0
r7.0.11
r7.0.11-rc0
r7.0.11-rc1
r7.0.11-rc2
r7.0.12
r7.0.12-rc0
r7.0.12-rc1
r7.0.13
r7.0.13-rc0
r7.0.13-rc1
r7.0.14
r7.0.14-rc0
r7.0.15
r7.0.15-rc0
r7.0.15-rc1
r7.0.16
r7.0.16-rc0
r7.0.16-rc1
r7.0.17
r7.0.2
r7.0.2-rc0
r7.0.2-rc1
r7.0.2-rc2
r7.0.3
r7.0.3-rc0
r7.0.3-rc1
r7.0.4
r7.0.4-rc0
r7.0.5
r7.0.5-rc0
r7.0.6
r7.0.6-rc0
r7.0.7
r7.0.7-rc0
r7.0.7-rc1
r7.0.7-rc2
r7.0.8
r7.0.8-rc0
r7.0.9
r7.0.9-rc0
r7.0.9-rc1
r8.*
r8.0.0
r8.0.1
r8.0.1-rc0
r8.0.2
r8.0.3
r8.0.4
r8.0.4-rc0
r8.0.5
r8.0.5-rc0
r8.0.5-rc1
r8.0.5-rc2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-10059.json"
vanir_signatures 
[
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "259138757267497787322732660740307019147",
                "132000857137170557431027225526182190543",
                "219296449103344026824906174079893054414",
                "5720932185945374029998360576327319478"
            ]
        },
        "id": "CVE-2025-10059-30d30407",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/mongodb/mongo/commit/c5423a4f25b3056ee2380ddc4e5e5fc3f5a6afc2",
        "target": {
            "file": "src/mongo/db/repl/oplog_applier_impl.cpp"
        }
    },
    {
        "digest": {
            "length": 2368.0,
            "function_hash": "254642164138027264659524708034929552096"
        },
        "id": "CVE-2025-10059-651640f6",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/mongodb/mongo/commit/c5423a4f25b3056ee2380ddc4e5e5fc3f5a6afc2",
        "target": {
            "function": "OplogApplierImpl::_run",
            "file": "src/mongo/db/repl/oplog_applier_impl.cpp"
        }
    },
    {
        "digest": {
            "length": 827.0,
            "function_hash": "270348088771156963022993784675396103736"
        },
        "id": "CVE-2025-10059-b35324af",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/mongodb/mongo/commit/01446737d14e8e41feba33b2a5b7538c4b0fdc89",
        "target": {
            "function": "CollectionRoutingInfoTargeter::_targetQuery",
            "file": "src/mongo/s/collection_routing_info_targeter.cpp"
        }
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "200589201934254357811463676773712275958",
                "63605353816517337771785508199529866736",
                "80109071181097913300146229557150592459",
                "223503303510403772449454539366973737259",
                "206307475781743155230171432035110126298",
                "209462201861701036355955731340079539923",
                "104764857285727897851241798430944180616",
                "90235110007444317084516985049945193792"
            ]
        },
        "id": "CVE-2025-10059-ff8803f2",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/mongodb/mongo/commit/01446737d14e8e41feba33b2a5b7538c4b0fdc89",
        "target": {
            "file": "src/mongo/s/collection_routing_info_targeter.cpp"
        }
    }
]
vanir_signatures_modified 
"2026-04-12T17:35:44Z"