CVE-2025-14345

A post-authentication flaw in the network two-phase commit protocol used for cross-shard transactions in MongoDB Server may lead to logical data inconsistencies under specific conditions which are not predictable and exist for a very short period of time. This error can cause the transaction coordination logic to misinterpret the transaction as committed, resulting in inconsistent state on those shards. This may lead to low integrity and availability impact.

This issue impacts MongoDB Server v8.0 versions prior to 8.0.16, MongoDB Server v7.0 versions prior to 7.0.26 and MongoDB server v8.2 versions prior to 8.2.2.

References

https://jira.mongodb.org/browse/SERVER-106075

Affected packages

Git / github.com/mongodb/mongo

Affected ranges

Type

GIT

Repo

https://github.com/mongodb/mongo

Events

Introduced

37d84072b5c5b9fd723db5fa133fb202ad2317f1

Fixed

cfe96f2560c2000d837880f3e49086bed560abec

Introduced

b41cda4fe697dce6fd9b83b3805362ccc02fbeb3

Fixed

6649991c993da79c269e52beec51274bf53fbb98

Introduced

b993867dce63dd366cd93e60f3f425ed716f6497

Fixed

d4511d28ec0c73f0c476027a943c0176c8a16f02

Introduced

Last affected

f363edefb03efa1e3e012d90aea1494c7770e8cc

Database specific

{
    "versions": [
        {
            "introduced": "7.0.0"
        },
        {
            "fixed": "7.0.26"
        },
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "8.0.16"
        },
        {
            "introduced": "8.2.0"
        },
        {
            "fixed": "8.2.2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "8.3.0-alpha0"
        }
    ]
}

Affected versions

0.*

0.9.1

1.*

1.7-cut

r0.*

r0.0.3

r0.0.4_rc1

r0.0.6_rc1

r0.0.7_rc1

r0.0.7_rc2

r0.0.7_rc3

r0.0.7_rc4

r0.0.9_rc1

r0.1.0_rc1

r0.1.2_rc1

r0.1.3_rc1

r0.1.4_rc1

r0.1.5_rc1

r0.1.6_rc1

r0.2.1

r0.9.1

r0.9.10

r0.9.5

r0.9.6

r0.9.8

r0.9.9

r1.*

r1.1.1

r1.1.3

r1.3.0

r1.3.4

r1.5.0

r1.5.1

r1.5.2

r1.5.5

r1.5.6

r1.7.5

r1.7.6

r1.8.0-rc0

r2.*

r2.1.1

r2.1.2

r2.2.0-rc0

r2.3.1

r2.3.2

r2.4.0-rc0

r2.4.0-rc1

r2.4.0-rc2

r2.4.0.rc1

r2.5.1

r2.5.2

r2.5.3

r2.5.4

r2.5.5

r2.6.0-rc0

r2.6.0-rc1

r2.7.0

r2.7.1

r2.7.2

r2.7.3

r2.7.4

r2.7.5

r2.7.6

r2.7.7

r2.7.8

r2.8.0-rc0

r2.8.0-rc1

r2.8.0-rc2

r2.8.0-rc3

r2.8.0-rc4

r2.8.0-rc5

r3.*

r3.1.0

r3.1.1

r3.1.2

r3.1.3

r3.1.4

r3.1.5

r3.1.6

r3.1.7

r3.1.8

r3.1.9

r3.2.0

r3.2.0-rc0

r3.2.0-rc1

r3.2.0-rc2

r3.2.0-rc3

r3.2.0-rc4

r3.2.0-rc5

r3.2.0-rc6

r3.3.0

r3.3.1

r3.3.10

r3.3.11

r3.3.12

r3.3.13

r3.3.14

r3.3.15

r3.3.2

r3.3.3

r3.3.4

r3.3.5

r3.3.6

r3.3.7

r3.3.8

r3.3.9

r3.4.0-rc0

r3.4.0-rc1

r3.4.0-rc2

r3.4.0-rc3

r3.5.0

r3.5.1

r3.5.10

r3.5.11

r3.5.12

r3.5.13

r3.5.2

r3.5.3

r3.5.4

r3.5.5

r3.5.6

r3.5.7

r3.5.8

r3.5.9

r3.6.0-rc0

r3.6.0-rc1

r3.6.0-rc2

r3.6.0-rc3

r3.6.0-rc4

r3.7.0

r3.7.1

r3.7.2

r3.7.3

r3.7.4

r3.7.5

r3.7.6

r3.7.7

r3.7.8

r3.7.9

r4.*

r4.0.0-rc0

r4.1.0

r4.1.1

r4.1.10

r4.1.11

r4.1.12

r4.1.13

r4.1.2

r4.1.3

r4.1.4

r4.1.5

r4.1.6

r4.1.7

r4.1.8

r4.1.9

r4.3.0

r4.3.1

r4.3.2

r4.3.3

r4.3.4

r4.5.0

r4.8.0-alpha

r4.9.0-alpha

r4.9.0-alpha0

r4.9.0-alpha1

r4.9.0-alpha2

r4.9.0-alpha3

r4.9.0-alpha4

r4.9.0-alpha5

r4.9.0-alpha6

r4.9.0-alpha7

r5.*

r5.0.0-alpha

r5.0.0-alpha0

r5.1.0-alpha

r5.2.0-alpha

r5.3.0-alpha

r5.3.0-alpha0

r5.3.0-alpha1

r5.3.0-alpha2

r5.3.0-alpha3

r5.3.0-alpha4

r6.*

r6.0.0-alpha

r6.0.0-alpha0

r6.0.0-alpha1

r6.1.0-alpha

r6.2.0-alpha

r6.3.0-alpha

r6.3.0-alpha0

r6.3.0-rc0

r7.*

r7.0.0

r7.0.0-alpha

r7.0.0-alpha0

r7.0.1

r7.0.1-rc0

r7.0.10

r7.0.10-rc0

r7.0.11

r7.0.11-rc0

r7.0.11-rc1

r7.0.11-rc2

r7.0.12

r7.0.12-rc0

r7.0.12-rc1

r7.0.13

r7.0.13-rc0

r7.0.13-rc1

r7.0.14

r7.0.14-rc0

r7.0.15

r7.0.15-rc0

r7.0.15-rc1

r7.0.16

r7.0.16-rc0

r7.0.16-rc1

r7.0.17

r7.0.18

r7.0.2

r7.0.2-rc0

r7.0.2-rc1

r7.0.2-rc2

r7.0.21

r7.0.21-alpha0

r7.0.21-rc0

r7.0.22

r7.0.22-rc0

r7.0.23

r7.0.23-rc0

r7.0.23-rc1

r7.0.24

r7.0.24-rc0

r7.0.25-alpha0

r7.0.3

r7.0.3-rc0

r7.0.3-rc1

r7.0.4

r7.0.4-rc0

r7.0.5

r7.0.5-rc0

r7.0.6

r7.0.6-rc0

r7.0.7

r7.0.7-rc0

r7.0.7-rc1

r7.0.7-rc2

r7.0.8

r7.0.8-rc0

r7.0.9

r7.0.9-rc0

r7.0.9-rc1

r7.1.0-alpha

r7.1.0-alpha0

r7.2.0-alpha

r7.2.0-alpha0

r7.3.0-alpha

r7.3.0-alpha0

r7.3.0-alpha1

r7.3.0-rc0

r8.*

r8.0.0

r8.0.0-alpha

r8.0.0-alpha0

r8.0.0-alpha1

r8.0.0-alpha2

r8.0.1

r8.0.1-rc0

r8.0.10

r8.0.10-rc0

r8.0.12

r8.0.12-rc0

r8.0.13

r8.0.13-rc0

r8.0.13-rc1

r8.0.13-rc2

r8.0.14

r8.0.14-rc0

r8.0.14-rc1

r8.0.16-rc0

r8.0.2

r8.0.3

r8.0.4

r8.0.4-rc0

r8.0.5

r8.0.5-rc0

r8.0.5-rc1

r8.0.5-rc2

r8.0.6

r8.1.0-alpha

r8.1.0-alpha0

r8.1.0-alpha1

r8.1.0-alpha2

r8.1.0-alpha3

r8.2.0

r8.2.0-alpha

r8.2.0-alpha0

r8.2.0-alpha1

r8.2.0-alpha2

r8.2.0-rc0

r8.2.1

r8.2.1-rc0

r8.2.1-rc1

r8.3.0-alpha0

Database specific

vanir_signatures

[
    {
        "id": "CVE-2025-14345-0d7700d5",
        "target": {
            "file": "src/mongo/util/net/ssl_manager_windows.cpp",
            "function": "validatePeerCertificate"
        },
        "signature_version": "v1",
        "source": "https://github.com/mongodb/mongo/commit/cfe96f2560c2000d837880f3e49086bed560abec",
        "deprecated": false,
        "digest": {
            "length": 5523.0,
            "function_hash": "169396510644917166107972285471505278925"
        },
        "signature_type": "Function"
    },
    {
        "id": "CVE-2025-14345-1ac5af1d",
        "target": {
            "file": "src/mongo/util/net/ssl_manager_windows.cpp"
        },
        "signature_version": "v1",
        "source": "https://github.com/mongodb/mongo/commit/cfe96f2560c2000d837880f3e49086bed560abec",
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "255094620203238166973302767875286180987",
                "311318788437859314187108745684874069447",
                "13195629967762718487111799273423913192",
                "145659902616350294817239749199959363992",
                "221972074441494021565962355714822796262",
                "48835208987546656192845547932509644477",
                "87708939807646049295739831013123777386",
                "10193593850898967193818537886210518552",
                "331231889353555350497810337678926637920",
                "152234860073312542299676805758359870241"
            ]
        },
        "signature_type": "Line"
    },
    {
        "id": "CVE-2025-14345-5d8a373e",
        "target": {
            "file": "src/mongo/util/net/ssl_manager_apple.cpp"
        },
        "signature_version": "v1",
        "source": "https://github.com/mongodb/mongo/commit/cfe96f2560c2000d837880f3e49086bed560abec",
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "52207717764756858887103230689427858974",
                "241284099896496899084843301553798842386",
                "81015194422365157642401834775353309989",
                "306832239360780013917147226125039650941"
            ]
        },
        "signature_type": "Line"
    },
    {
        "id": "CVE-2025-14345-a2bd2a3d",
        "target": {
            "file": "src/mongo/util/net/ssl_manager_apple.cpp",
            "function": "CreateSecTrustPolicies"
        },
        "signature_version": "v1",
        "source": "https://github.com/mongodb/mongo/commit/cfe96f2560c2000d837880f3e49086bed560abec",
        "deprecated": false,
        "digest": {
            "length": 715.0,
            "function_hash": "60854262378866240810463600752329606435"
        },
        "signature_type": "Function"
    }
]

vanir_signatures_modified

"2026-04-12T17:59:00Z"

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-14345.json"