MongoDB
CVE-2025-14911
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
User-controlled chunkSize metadata from MongoDB lacks appropriate validation allowing malformed GridFS metadata to overflow the bounding container.
AnalysisAI
User-controlled chunkSize metadata from MongoDB lacks appropriate validation allowing malformed GridFS metadata to overflow the bounding container. [CVSS 6.5 MEDIUM]
Technical ContextAI
Classified as CWE-120 (Classic Buffer Overflow). User-controlled chunkSize metadata from MongoDB lacks appropriate validation allowing malformed GridFS metadata to overflow the bounding container.
Affected ProductsAI
User-controlled chunkSize metadata from MongoDB lacks appropriate validation allowing malformed GridFS metadata to overflow the bounding container.
RemediationAI
Monitor vendor advisories for a patch. Enable ASLR, DEP/NX, and stack canaries where possible. Restrict network access to the affected service where possible.
MongoDB before 2.0.9 and 2.2.x before 2.2.4 does not properly validate requests to the nativeHelper function in SpiderMo
The find prototype in scripting/engine_v8.h in MongoDB 2.4.0 through 2.4.4 allows remote authenticated users to cause a
Remote code execution in Chartbrew versions prior to 4.8.1 allows authenticated attackers with high privileges to execut
After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's
The default configuration for MongoDB before 2.3.2 does not validate objects, which allows remote authenticated users to
SimStudio below 0.5.74 has a missing authorization on MongoDB tool endpoints that allows attackers to execute arbitrary
MongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero arguments are calle
Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which ma
Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log e
MongoDB 3.4.x before 3.4.10, and 3.5.x-development, has a disabled-by-default configuration setting, networkMessageCompr
A cross-site request forgery (CSRF) vulnerability in Jenkins MongoDB Plugin 1.3 and earlier allows attackers to gain acc
bson/_cbsonmodule.c in the mongo-python-driver (aka. Rated medium severity (CVSS 4.3), this vulnerability is remotely ex
Same weakness CWE-120 – Classic Buffer Overflow
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today