CVE-2025-13507
- Source
- https://cve.org/CVERecord?id=CVE-2025-13507
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-13507.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-13507
- Aliases
- Downstream
- Published
- 2025-11-25T05:16:09.090Z
- Modified
- 2026-02-05T09:53:33.232477Z
- Severity
-
- 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
- Summary
- [none]
- Details
-
Inconsistent object size validation in time series processing logic may result in later processing of oversized BSON documents leading to an assert failing and process termination. This issue impacts MongoDB Server v7.0 versions prior to 7.0.26, v8.0 versions prior to 8.0.16 and MongoDB server v8.2 versions prior to 8.2.1.
- References
Affected packages
Git / github.com/mongodb/mongo
Affected versions
r7.*
r7.0.0
r7.0.1
r7.0.1-rc0
r7.0.10
r7.0.10-rc0
r7.0.11
r7.0.11-rc0
r7.0.11-rc1
r7.0.11-rc2
r7.0.12
r7.0.12-rc0
r7.0.12-rc1
r7.0.13
r7.0.13-rc0
r7.0.13-rc1
r7.0.14
r7.0.14-rc0
r7.0.15
r7.0.15-rc0
r7.0.15-rc1
r7.0.16
r7.0.16-rc0
r7.0.16-rc1
r7.0.17
r7.0.18
r7.0.2
r7.0.2-rc0
r7.0.2-rc1
r7.0.2-rc2
r7.0.21
r7.0.21-alpha0
r7.0.21-rc0
r7.0.22
r7.0.22-rc0
r7.0.23
r7.0.23-rc0
r7.0.23-rc1
r7.0.24
r7.0.24-rc0
r7.0.25-alpha0
r7.0.3
r7.0.3-rc0
r7.0.3-rc1
r7.0.4
r7.0.4-rc0
r7.0.5
r7.0.5-rc0
r7.0.6
r7.0.6-rc0
r7.0.7
r7.0.7-rc0
r7.0.7-rc1
r7.0.7-rc2
r7.0.8
r7.0.8-rc0
r7.0.9
r7.0.9-rc0
r7.0.9-rc1
r8.*
r8.0.0
r8.0.1
r8.0.1-rc0
r8.0.10
r8.0.10-rc0
r8.0.12
r8.0.12-rc0
r8.0.13
r8.0.13-rc0
r8.0.13-rc1
r8.0.13-rc2
r8.0.14
r8.0.14-rc0
r8.0.14-rc1
r8.0.16-rc0
r8.0.2
r8.0.3
r8.0.4
r8.0.4-rc0
r8.0.5
r8.0.5-rc0
r8.0.5-rc1
r8.0.5-rc2
r8.0.6
r8.2.0
r8.2.1-rc0
Database specific
vanir_signatures
[
{
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/722d015456e81e950c0a416a8177bac2832ad18d",
"id": "CVE-2025-13507-057bcab9",
"target": {
"file": "src/mongo/db/query/query_planner_params.cpp"
},
"digest": {
"line_hashes": [
"53089854312032023108236477006276964062",
"929143834702686652304868442111772967",
"43414571029745602454341970726107449374",
"137320233105713572959093475235010952343",
"20958512346721825150691381592188653935",
"32488327726920419443034381167767771154",
"118163823611587160628803308833362944680",
"122447808960287599268240948441769841632",
"50126037778368965892963172358762126533",
"154754662123519862513687358749200258148",
"3393316797857700642349712904926514752"
],
"threshold": 0.9
},
"signature_type": "Line",
"signature_version": "v1"
},
{
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/cfe96f2560c2000d837880f3e49086bed560abec",
"id": "CVE-2025-13507-0d7700d5",
"target": {
"file": "src/mongo/util/net/ssl_manager_windows.cpp",
"function": "validatePeerCertificate"
},
"digest": {
"function_hash": "169396510644917166107972285471505278925",
"length": 5523.0
},
"signature_type": "Function",
"signature_version": "v1"
},
{
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/722d015456e81e950c0a416a8177bac2832ad18d",
"id": "CVE-2025-13507-13f71fbc",
"target": {
"file": "src/mongo/db/query/planner_wildcard_helpers.cpp"
},
"digest": {
"line_hashes": [
"249051973705161421560899634600199076964",
"141740705175550341226340919871766281242",
"31797772635998441161542971107160448434",
"132974319488123001241350457859224821345"
],
"threshold": 0.9
},
"signature_type": "Line",
"signature_version": "v1"
},
{
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/cfe96f2560c2000d837880f3e49086bed560abec",
"id": "CVE-2025-13507-1ac5af1d",
"target": {
"file": "src/mongo/util/net/ssl_manager_windows.cpp"
},
"digest": {
"line_hashes": [
"255094620203238166973302767875286180987",
"311318788437859314187108745684874069447",
"13195629967762718487111799273423913192",
"145659902616350294817239749199959363992",
"221972074441494021565962355714822796262",
"48835208987546656192845547932509644477",
"87708939807646049295739831013123777386",
"10193593850898967193818537886210518552",
"331231889353555350497810337678926637920",
"152234860073312542299676805758359870241"
],
"threshold": 0.9
},
"signature_type": "Line",
"signature_version": "v1"
},
{
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/722d015456e81e950c0a416a8177bac2832ad18d",
"id": "CVE-2025-13507-3a92b0f4",
"target": {
"file": "src/mongo/db/query/index_bounds_builder_test_fixture.h"
},
"digest": {
"line_hashes": [
"79352476415990893297885829188788851702",
"96264135931572942438236247371943938867",
"205699743260697356860009613533201130928",
"327098372172384729150010102032791981328"
],
"threshold": 0.9
},
"signature_type": "Line",
"signature_version": "v1"
},
{
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/722d015456e81e950c0a416a8177bac2832ad18d",
"id": "CVE-2025-13507-448a167f",
"target": {
"file": "src/mongo/db/query/planner_wildcard_helpers.cpp",
"function": "createExpandedIndexEntry"
},
"digest": {
"function_hash": "19492702409308451347220672662745841156",
"length": 956.0
},
"signature_type": "Function",
"signature_version": "v1"
},
{
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/cfe96f2560c2000d837880f3e49086bed560abec",
"id": "CVE-2025-13507-5d8a373e",
"target": {
"file": "src/mongo/util/net/ssl_manager_apple.cpp"
},
"digest": {
"line_hashes": [
"52207717764756858887103230689427858974",
"241284099896496899084843301553798842386",
"81015194422365157642401834775353309989",
"306832239360780013917147226125039650941"
],
"threshold": 0.9
},
"signature_type": "Line",
"signature_version": "v1"
},
{
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/722d015456e81e950c0a416a8177bac2832ad18d",
"id": "CVE-2025-13507-65b20c88",
"target": {
"file": "src/mongo/db/query/query_planner_params.cpp",
"function": "indexEntryFromIndexCatalogEntry"
},
"digest": {
"function_hash": "103719588638741919025789135868204531444",
"length": 1731.0
},
"signature_type": "Function",
"signature_version": "v1"
},
{
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/722d015456e81e950c0a416a8177bac2832ad18d",
"id": "CVE-2025-13507-6e8caf86",
"target": {
"file": "src/mongo/db/query/collection_query_info.cpp"
},
"digest": {
"line_hashes": [
"189333303470414706517825545515678200768",
"202919072866983895184691397030865194088",
"315557802260874947528313451448176834900",
"213622594336086705187192313499455539893"
],
"threshold": 0.9
},
"signature_type": "Line",
"signature_version": "v1"
},
{
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/722d015456e81e950c0a416a8177bac2832ad18d",
"id": "CVE-2025-13507-8496793e",
"target": {
"file": "src/mongo/db/query/query_planner_params.cpp",
"function": "fillOutIndexEntries"
},
"digest": {
"function_hash": "117513348262714958710418884020572531346",
"length": 794.0
},
"signature_type": "Function",
"signature_version": "v1"
},
{
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/722d015456e81e950c0a416a8177bac2832ad18d",
"id": "CVE-2025-13507-8df5781d",
"target": {
"file": "src/mongo/db/query/index_entry.h"
},
"digest": {
"line_hashes": [
"244092128141109068790597833792771869962",
"131807433502334542792340552702236492782",
"308056450644446876092685883131166640220",
"244132815259624924083936790072081489188",
"48358986428327356352711446765550927141",
"217205618164515642292517146053277816938",
"109085097479535235270918539708416645068",
"1544229181798411985602566205969908148",
"247188723388188276932696073133141437086",
"86857280493519996288539620994742431497",
"139659090293540209283786558335152622221",
"333677887994342152542488209526436378187",
"333394532223339169168268344688074601256",
"306767205692433398240494373142606478614",
"229990481424514315064830048501881972140",
"48544630614827616360635971799160836221",
"150447868201959270518529828079962050573",
"220427871503775394596777991515307371461",
"601511317739815436423990688357856273",
"301210681512775426584528397068579248537",
"190394335184497810764056783078292109728",
"329716026598828168293921543505667556864",
"55941009747741831485899940034928560320",
"118469087764106956444219074765234226696",
"178895914867038080484832472600651426808"
],
"threshold": 0.9
},
"signature_type": "Line",
"signature_version": "v1"
},
{
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/cfe96f2560c2000d837880f3e49086bed560abec",
"id": "CVE-2025-13507-a2bd2a3d",
"target": {
"file": "src/mongo/util/net/ssl_manager_apple.cpp",
"function": "CreateSecTrustPolicies"
},
"digest": {
"function_hash": "60854262378866240810463600752329606435",
"length": 715.0
},
"signature_type": "Function",
"signature_version": "v1"
},
{
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/722d015456e81e950c0a416a8177bac2832ad18d",
"id": "CVE-2025-13507-e45f486f",
"target": {
"file": "src/mongo/db/query/collection_query_info.cpp",
"function": "indexInfoFromIndexCatalogEntry"
},
"digest": {
"function_hash": "332376735927461729386566008374621361924",
"length": 530.0
},
"signature_type": "Function",
"signature_version": "v1"
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-13507.json"