Pre-Auth Flaw in MongoDB Server Allows Attackers to Cause DoS
A critical pre-authentication vulnerability (CVE-2025-6709) in MongoDB Server enables unauthenticated attackers to trigger denial-of-service (DoS) conditions by exploiting improper input validation in OIDC authentication. The flaw allows malicious actors to crash database servers by sending specially crafted JSON payloads containing specific date values, causing invariant failures and server crashes. This vulnerability affects MongoDB Server versions before 7.0.17, 8.0.5, and 6.0.21 (with authentication required for 6.x exploitation). Vulnerability Analysis Attackers can reproduce the exploit using MongoDB’s mongo shell to send malicious JSON payloads targeting the OIDC authentication mechanism. The server fails to properly validate date values in JSON input, leading to: Complete server crashes without authentication in v7.0 and v8.0 deployments Post-authentication DoS in v6.0 environments Critical disruption of database operations through invariant failures The vulnerability carries a CVSS score of 7.5 (High) due to its network-based attack vector, low attack complexity, and high availability impact. MongoDB has classified this as CWE-20 (Improper Input Validation). Mitigation and Updates Administrators should immediately upgrade to patched versions: MongoDB v6.0 → 6.0.21 or later MongoDB v7.0 → 7.0.17 or later MongoDB v8.0 → 8.0.5 or later For environments where immediate patching isn’t feasible, consider disabling OIDC authentication until updates are applied.
