CVE-2025-13644
- Source
- https://cve.org/CVERecord?id=CVE-2025-13644
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-13644.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-13644
- Aliases
- Downstream
- Published
- 2025-11-25T06:15:45.753Z
- Modified
- 2026-03-12T17:38:41.541242Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
MongoDB Server may experience an invariant failure during batched delete operations when handling documents. The issue arises when the server mistakenly assumes the presence of multiple documents in a batch based solely on document size exceeding BSONObjMaxSize. This issue affects MongoDB Server v7.0 versions prior to 7.0.26, MongoDB Server v8.0 versions prior to 8.0.13, and MongoDB Server v8.1 versions prior to 8.1.2
- References
Affected packages
Git / github.com/mongodb/mongo
Affected ranges
- Type
- GIT
- Repo
- https://github.com/mongodb/mongo
- Events
-
IntroducedFixedIntroducedFixedIntroducedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affected
- Database specific
{ "versions": [ { "introduced": "7.0.0" }, { "fixed": "7.0.26" }, { "introduced": "8.0.0" }, { "fixed": "8.0.13" }, { "introduced": "8.1.0" }, { "fixed": "8.1.2" }, { "introduced": "0" }, { "last_affected": "8.2.0-alpha" }, { "introduced": "0" }, { "last_affected": "8.2.0-alpha0" }, { "introduced": "0" }, { "last_affected": "8.2.0-alpha1" }, { "introduced": "0" }, { "last_affected": "8.2.0-alpha2" } ] }
Database specific
vanir_signatures
[
{
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "src/mongo/util/net/ssl_manager_windows.cpp",
"function": "validatePeerCertificate"
},
"id": "CVE-2025-13644-0d7700d5",
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/cfe96f2560c2000d837880f3e49086bed560abec",
"digest": {
"function_hash": "169396510644917166107972285471505278925",
"length": 5523.0
}
},
{
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "src/third_party/mozjs/extract/js/src/jit/IonAnalysis.cpp",
"function": "jit::ExtractLinearSum"
},
"id": "CVE-2025-13644-0dfbf4f9",
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/aae5d55d1b9a803d5bf33dcaabc307767d672508",
"digest": {
"function_hash": "180452319589069234629198624976346946716",
"length": 1877.0
}
},
{
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "src/third_party/mozjs/extract/js/src/selfhosted.out.h"
},
"id": "CVE-2025-13644-14e9685e",
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/aae5d55d1b9a803d5bf33dcaabc307767d672508",
"digest": {
"line_hashes": [
"233822600020224691324687507502854917012",
"259237089265441588225020498284195966061",
"229874218253122892233995666813105954973",
"55368925209121119623273095661399711141",
"314821992127340870849716960477288607017",
"327763084793654983710366575691625801466"
],
"threshold": 0.9
}
},
{
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "src/mongo/util/net/ssl_manager_windows.cpp"
},
"id": "CVE-2025-13644-1ac5af1d",
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/cfe96f2560c2000d837880f3e49086bed560abec",
"digest": {
"line_hashes": [
"255094620203238166973302767875286180987",
"311318788437859314187108745684874069447",
"13195629967762718487111799273423913192",
"145659902616350294817239749199959363992",
"221972074441494021565962355714822796262",
"48835208987546656192845547932509644477",
"87708939807646049295739831013123777386",
"10193593850898967193818537886210518552",
"331231889353555350497810337678926637920",
"152234860073312542299676805758359870241"
],
"threshold": 0.9
}
},
{
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "src/third_party/mozjs/extract/js/src/selfhosted.out.h",
"function": "GetCompressedSize"
},
"id": "CVE-2025-13644-1d3fd4b4",
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/aae5d55d1b9a803d5bf33dcaabc307767d672508",
"digest": {
"function_hash": "191675906453157901159272051109947468773",
"length": 37.0
}
},
{
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "src/third_party/mozjs/extract/js/src/wasm/WasmBinary.h",
"function": "Decoder::uncheckedReadValType"
},
"id": "CVE-2025-13644-2a67fb94",
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/aae5d55d1b9a803d5bf33dcaabc307767d672508",
"digest": {
"function_hash": "300146235213517278099855578640286042880",
"length": 785.0
}
},
{
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "src/third_party/mozjs/extract/js/src/debugger/Object.cpp"
},
"id": "CVE-2025-13644-42bd3dbe",
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/aae5d55d1b9a803d5bf33dcaabc307767d672508",
"digest": {
"line_hashes": [
"21700428046421127421323555831707373147",
"324445372285871517778363069750912601082",
"262417669343811407928213421992344930407",
"299952912235979295938652992733765852220",
"223020179591167581922430840602120588042",
"76392391136404412266540356859748577865",
"144828547710741227951591612655053005257",
"26145320010660338685544800450383643863",
"86541778185874678926120678276585753216",
"138834464679224885110133430287273260509",
"200041923461716424633911745316845157553",
"231640357123275454755144961811740346281",
"62174931455083496885168091839217665020",
"243556370846504531133022359019318327295"
],
"threshold": 0.9
}
},
{
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "src/third_party/mozjs/extract/js/src/builtin/Promise.cpp",
"function": "PerformPromiseAllSettled"
},
"id": "CVE-2025-13644-455305b8",
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/aae5d55d1b9a803d5bf33dcaabc307767d672508",
"digest": {
"function_hash": "322504896487733643987698766970184785592",
"length": 1597.0
}
},
{
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "src/mongo/util/net/ssl_manager_apple.cpp"
},
"id": "CVE-2025-13644-5d8a373e",
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/cfe96f2560c2000d837880f3e49086bed560abec",
"digest": {
"line_hashes": [
"52207717764756858887103230689427858974",
"241284099896496899084843301553798842386",
"81015194422365157642401834775353309989",
"306832239360780013917147226125039650941"
],
"threshold": 0.9
}
},
{
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "src/third_party/mozjs/extract/js/src/debugger/Object.h"
},
"id": "CVE-2025-13644-65361797",
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/aae5d55d1b9a803d5bf33dcaabc307767d672508",
"digest": {
"line_hashes": [
"140842877367581695931817418870969911672",
"108067251684823228022865352906759739770",
"251660068452598843134418262341767187690",
"192807913338543405379286074249083399886"
],
"threshold": 0.9
}
},
{
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "src/third_party/mozjs/extract/js/src/builtin/Promise.cpp",
"function": "PerformPromiseAny"
},
"id": "CVE-2025-13644-6a504bb0",
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/aae5d55d1b9a803d5bf33dcaabc307767d672508",
"digest": {
"function_hash": "171501542211790821867295986610490881058",
"length": 1273.0
}
},
{
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "src/third_party/mozjs/extract/js/src/builtin/Promise.cpp",
"function": "NewPromiseCombinatorElementFunction"
},
"id": "CVE-2025-13644-6aa40d49",
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/aae5d55d1b9a803d5bf33dcaabc307767d672508",
"digest": {
"function_hash": "200424567389223175620134944935335508450",
"length": 440.0
}
},
{
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "src/third_party/mozjs/extract/js/src/builtin/Promise.cpp"
},
"id": "CVE-2025-13644-6eae1795",
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/aae5d55d1b9a803d5bf33dcaabc307767d672508",
"digest": {
"line_hashes": [
"283276770610229274924491311610727283694",
"223311302544631455400650617639170773676",
"90063100429139877285873388804530783760",
"86085151279178720650314156856234882904",
"281020118383435013146100190569239217843",
"41107567404056157565557688404100566184",
"74351063868903772963834321955788103156",
"13521039837103148814569341918912834406",
"36260041144618100554740435591761904336",
"27690225435035050917375120122411067943",
"340170013726206449029660710270577323766",
"310834946761694104279714660507503925920",
"300327435722999180465623099287620910591",
"297732544515367463996445480087937265088",
"132927470061641516546699686177790016323",
"322916841294094212156210439958241329426",
"224174525795944300072693503175789821262",
"261453120444748041829897796324417204613",
"186494106081938789454682331006281862576",
"115463443459467207833693268423115141894",
"283785597959310717935698531808900285382",
"321975638985055203906740549372562595906",
"296160540697433102304667749131991459915",
"29066835483433250460791559865200066316",
"22570878816278970340190322875676282147",
"330286656483869645358132993236668816325",
"263762099277281125664300343878149950130",
"294893919894491423666189688217690599620",
"150487368168266785051337651425975271302",
"230024687364551206152518585820098432605",
"272410783540586364171047192880359424275",
"85028545331126221101067072995880948630",
"123291067645900039128587761995629340470",
"114333194229050794000193313745741811255",
"287483403118004421870961078792251593088",
"106701195274063597005025773821420104303",
"264060692128552857235920370104676512465",
"206068674440720352432612411249474626906",
"152544295007594801375455971956626050761",
"12046842334037234715046261906265651976",
"57880048212257412984907743099810632821",
"331612528930379524563406120471904018249",
"221057826001161457927025969525954463022",
"197219904741988301573053111681590661496",
"111568082278382296268614383555711312153",
"246318035368099374259343171604051290832"
],
"threshold": 0.9
}
},
{
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "src/third_party/mozjs/extract/js/src/jit/IonAnalysis.cpp"
},
"id": "CVE-2025-13644-73460749",
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/aae5d55d1b9a803d5bf33dcaabc307767d672508",
"digest": {
"line_hashes": [
"196138153632607061369037758940251727925",
"145301335159505806605133947050331798162",
"306803082390005738986358568781404053608"
],
"threshold": 0.9
}
},
{
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "src/mongo/util/net/ssl_manager_apple.cpp",
"function": "CreateSecTrustPolicies"
},
"id": "CVE-2025-13644-a2bd2a3d",
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/cfe96f2560c2000d837880f3e49086bed560abec",
"digest": {
"function_hash": "60854262378866240810463600752329606435",
"length": 715.0
}
},
{
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "src/third_party/mozjs/extract/js/src/jsexn.cpp"
},
"id": "CVE-2025-13644-a7a731b0",
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/aae5d55d1b9a803d5bf33dcaabc307767d672508",
"digest": {
"line_hashes": [
"40857198934976114917300351622884609538",
"45551216037773890516608805398904139164",
"282718185414854676338272859137864681412",
"91281966305183505001066319933948991922"
],
"threshold": 0.9
}
},
{
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "src/third_party/mozjs/platform/s390x/linux/include/selfhosted.out.h"
},
"id": "CVE-2025-13644-ac2ce78a",
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/aae5d55d1b9a803d5bf33dcaabc307767d672508",
"digest": {
"line_hashes": [
"125791476823828993628408185059782113391",
"117954400900675147649404909394499574060",
"330775992030250075599705380910195595938",
"252995935497114430200490212827101586927",
"143953345646466956233951309294899363318",
"86592730623430710126091657217537817139"
],
"threshold": 0.9
}
},
{
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "src/third_party/mozjs/extract/js/src/builtin/Promise.cpp",
"function": "PromiseCombinatorElementFunctionAlreadyCalled"
},
"id": "CVE-2025-13644-afb7d5d2",
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/aae5d55d1b9a803d5bf33dcaabc307767d672508",
"digest": {
"function_hash": "169967935600596441283618270024627156696",
"length": 615.0
}
},
{
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "src/third_party/mozjs/extract/js/src/builtin/Promise.cpp",
"function": "PerformPromiseAll"
},
"id": "CVE-2025-13644-b9ffa234",
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/aae5d55d1b9a803d5bf33dcaabc307767d672508",
"digest": {
"function_hash": "96698668918143478879200112220370639509",
"length": 1229.0
}
},
{
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "src/third_party/mozjs/extract/js/src/wasm/WasmBinary.h"
},
"id": "CVE-2025-13644-d78c3f5c",
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/aae5d55d1b9a803d5bf33dcaabc307767d672508",
"digest": {
"line_hashes": [
"80894074731980165663931623136891125118",
"31156884667780498534088508637093193674",
"41204151585887772467880372310145111402",
"5405185916617019004112002579371047201",
"134349003954023675296219499993385845495",
"244184485485950487077960682353299236566",
"137740464990169472504773074535927665416"
],
"threshold": 0.9
}
},
{
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "src/third_party/mozjs/extract/js/src/jsexn.cpp",
"function": "JS::ErrorReportBuilder::init"
},
"id": "CVE-2025-13644-ecf0262f",
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/aae5d55d1b9a803d5bf33dcaabc307767d672508",
"digest": {
"function_hash": "264363265445513080133115658903053598429",
"length": 2915.0
}
},
{
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "src/third_party/mozjs/extract/js/src/builtin/Promise.cpp",
"function": "js::GetWaitForAllPromise"
},
"id": "CVE-2025-13644-efec08c3",
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/aae5d55d1b9a803d5bf33dcaabc307767d672508",
"digest": {
"function_hash": "256617234406531711737567600158479601688",
"length": 1871.0
}
},
{
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "src/third_party/mozjs/platform/s390x/linux/include/selfhosted.out.h",
"function": "GetCompressedSize"
},
"id": "CVE-2025-13644-f36bf826",
"deprecated": false,
"source": "https://github.com/mongodb/mongo/commit/aae5d55d1b9a803d5bf33dcaabc307767d672508",
"digest": {
"function_hash": "168397806618594857947973109860769300912",
"length": 37.0
}
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-13644.json"