pkg:Bitnami/mongodb

70 total CVEsCRITICAL3HIGH15MEDIUM26

✅ Check your installed version

All known vulnerabilities

  • HIGH7.5CVE-2025-14847⚠ KEVZlib compressed protocol header length confusion may allow memory read
    >= 4.4.0, < 4.4.30, >= 5.0.0, < 5.0.32, >= 6.0.0, < 6.0.27, >= 7.0.0, < 7.0.28, >= 8.0.0, < 8.0.17, >= 8.2.0, < 8.2.3
  • CRITICAL9.8CVE-2025-3085MongoDB Server running on Linux may allow unexpected connections where intermediate certificates are revoked
    >= 5.0.0, < 5.0.31, >= 6.0.0, < 6.0.20, >= 7.0.0, < 7.0.16, >= 8.0.0, < 8.0.4
  • CRITICAL9.8CVE-2024-8654MongoDB Server may access non-initialized region of memory leading to unexpected behaviour
    >= 6.0.0, < 6.0.15
  • CRITICAL9.8CVE-2024-1351MongoDB Server may allow successful untrusted connection
    >= 4.4.0, < 5.0.26, >= 6.0.0, < 6.0.14, >= 7.0.0, < 7.0.7
  • HIGH8.8CVE-2025-6706Running certain aggregation operations with the SBE engine may lead to unexpected behavior on MongoDB Server
    >= 6.0.0, < 6.0.21, >= 7.0.0, < 7.0.17, >= 8.0.0, < 8.0.4
  • HIGH8.1CVE-2024-10921Improper neutralization of null bytes may lead to buffer over-reads in MongoDB Server
    >= 5.0.0, < 5.0.30, >= 6.0.0, < 6.0.19, >= 7.0.0, < 7.0.15, >= 8.0.0, < 8.0.3
  • HIGH7.8CVE-2024-7553Accessing Untrusted Directory May Allow Local Privilege Escalation
    >= 5.0.0, < 5.0.27, >= 6.0.0, < 6.0.16, >= 7.0.0, < 7.0.12
  • HIGH7.5CVE-2025-6714Incorrect Handling of incomplete data may prevent mongoS from Accepting New Connections
    >= 6.0.0, < 6.0.23, >= 7.0.0, < 7.0.20, >= 8.0.0, < 8.0.9
  • HIGH7.5CVE-2025-3083Malformed MongoDB wire protocol messages may cause mongos to crash
    >= 5.0.0, < 5.0.31, >= 6.0.0, < 6.0.20, >= 7.0.0, < 7.0.16
  • HIGH7.5CVE-2024-3372MongoDB Server may have unexpected application behaviour due to invalid BSON
    >= 5.0.0, < 5.0.25, >= 6.0.0, < 6.0.14, >= 7.0.0, < 7.0.6
  • HIGH7.5CVE-2025-10060MongoDB may be susceptible to Invariant Failure in Transactions due Upsert Operation
    >= 6.0.0, < 6.0.25, >= 7.0.0, < 7.0.22, >= 8.0.0, < 8.0.12
  • HIGH7.5CVE-2025-6710Pre-authentication Denial of Service Stack Overflow Vulnerability in JSON Parsing via Excessive Recursion in MongoDB
    >= 6.0.0, < 6.0.21, >= 7.0.0, < 7.0.17, >= 8.0.0, < 8.0.5
  • HIGH7.5CVE-2025-6709Pre-Authentication Denial of Service Vulnerability in MongoDB Server's OIDC Authentication
    >= 6.0.0, < 6.0.21, >= 7.0.0, < 7.0.17, >= 8.0.0, < 8.0.5
  • HIGH7.5CVE-2025-0755MongoDB C Driver bson library may be susceptible to buffer overflow
    >= 7.0.0, < 7.0.16, >= 8.0.0, < 8.0.1
  • HIGH7.5CVE-2020-7925Denial of Service when processing malformed Role names
    >= 4.2.0, < 4.2.9
  • HIGH7.5CVE-2021-32040Large aggregation pipelines with a specific stage can crash mongod under default configuration
    >= 4.2.0, < 4.2.16, >= 4.4.0, < 4.4.11, >= 5.0.0, < 5.0.4
  • HIGH7.5CVE-2023-1409Certificate validation issue in MongoDB Server running on Windows or macOS
    >= 4.4.0, < 4.4.23, >= 5.0.0, < 5.0.15, >= 6.0.0, < 6.0.7, >= 6.3.0, < 6.3.3
  • HIGH7.1CVE-2021-32036Denial of Service and Data Integrity vulnerability in features command
    >= 2.0.0, < 4.2.18, >= 4.4.0, < 4.4.10, >= 5.0.0, < 5.0.4
  • MEDIUM6.7CVE-2024-8207MongoDB Server binaries may load potentially insecure shared libraries from specific relative paths
    >= 5.0.0, < 5.0.26, >= 6.0.0, < 6.0.14, >= 6.1.0, < 7.0.7
  • MEDIUM6.5CVE-2025-11979Use-after-free in the MongoDB server query planner may lead to crash or undefined behavior
    >= 7.0.0, < 7.0.25, >= 8.0.0, < 8.0.15
  • MEDIUM6.5CVE-2025-7259Certain Queries with Duplicate _id Fields May Cause MongoDB Server to Crash
    >= 8.1.0, < 8.2.0
  • MEDIUM6.5CVE-2025-6713MongoDB Server may be susceptible to privilege escalation due to $mergeCursors stage
    >= 6.0.0, < 6.0.22, >= 7.0.0, < 7.0.19, >= 8.0.0, < 8.0.7
  • MEDIUM6.5CVE-2025-6712MongoDB Server may be susceptible to DoS due to Accumulated Memory Allocation
    >= 8.0.0, < 8.0.10
  • MEDIUM6.5CVE-2025-3084MongoDB Server may crash due to improper validation of explain command
    >= 5.0.0, < 5.0.31, >= 6.0.0, < 6.0.20, >= 7.0.0, < 7.0.16, >= 8.0.0, < 8.0.4
  • MEDIUM6.5CVE-2025-10059MongoDB Server router will crash when incorrect lsid is set on a sharded query
    >= 6.0.0, < 6.0.24, >= 7.0.0, < 7.0.18, >= 8.0.0, < 8.0.6
  • MEDIUM6.5CVE-2025-10061Malformed $group Query May Cause MongoDB Server to Crash
    >= 6.0.0, < 6.0.25, >= 7.0.0, < 7.0.22, >= 8.0.0, < 8.0.12, >= 8.1.0, < 8.1.2
  • MEDIUM6.5CVE-2024-8305MongoDB Server secondaries may crash due to forced index constraints
    >= 6.0.0, < 6.0.17, >= 7.0.0, < 7.0.14
  • MEDIUM6.5CVE-2024-6375Missing authorization check may lead to shard key refinement
    >= 5.0.0, < 5.0.22, >= 6.0.0, < 6.0.11, >= 7.0.0, < 7.0.3
  • MEDIUM6.5CVE-2020-7926Specific query can cause a DoS against MongoDB Server
    >= 4.4.0, < 4.4.1
  • MEDIUM6.5CVE-2020-7928Improper neutralization of null byte leads to read overrun
    >= 3.6.0, < 3.6.20, >= 4.0.0, < 4.0.20, >= 4.2.0, < 4.2.9, >= 4.4.0, < 4.4.1, >= 4.5.0, < 4.5.1
  • MEDIUM6.5CVE-2020-7929Specially crafted regex query can cause DoS
    >= 3.6.0, < 3.6.21, >= 4.0.0, < 4.0.20
  • MEDIUM6.5CVE-2021-20326Specially crafted query may result in a denial of service of mongod
    >= 4.4.0, < 4.4.4
  • MEDIUM6.5CVE-2021-20330Specific replication command with malformed oplog entries can crash secondaries
    >= 4.0.0, < 4.0.25, >= 4.2.0, < 4.2.14, >= 4.4.0, < 4.4.6
  • MEDIUM6.5CVE-2021-32037User may trigger invariant when allowed to send commands directly to shards
    >= 5.0.0, < 5.0.3
  • MEDIUM6.5CVE-2022-24272MongoDB Server (mongod) may crash in response to unexpected requests
    >= 5.0.0, < 5.0.7
  • MEDIUM6.5CVE-2020-7923Specific GeoQuery can cause DoS against MongoDB Server
    >= 4.0.0, < 4.0.19, >= 4.2.0, < 4.2.8, >= 4.4.0, < 4.4.0
  • MEDIUM5.5CVE-2021-32039MongoDB Extension for VS Code may unexpectedly store credentials locally in clear text
    from 0, < 0.7.1
  • MEDIUM5.4CVE-2025-3082User may override a view's collation and gain unauthorized access to underlying data
    >= 5.0.0, < 5.0.31, >= 6.0.0, < 6.0.20, >= 7.0.0, < 7.0.14, >= 7.3.0, < 7.3.4
  • MEDIUM5.4CVE-2025-6707Race condition in privilege cache invalidation cycle
    >= 5.0.0, < 5.0.31, >= 6.0.0, < 6.0.24, >= 7.0.0, < 7.0.21, >= 8.0.0, < 8.0.5
  • MEDIUM5.3CVE-2024-3374MongoDB Server (mongod) may crash when generating ftdc
    >= 5.0.0, < 5.0.26, >= 6.0.0, < 6.0.15
  • MEDIUM5.3CVE-2024-6384"Hot" backup files may be downloaded by underprivileged users, if they are capable of acquiring a unique backup identifier.
    >= 6.0.0, < 6.0.16, >= 7.0.0, < 7.0.11, >= 7.3.0, < 7.3.3
  • MEDIUM5.3CVE-2020-7921Administrative action may disable enforcement of per-user IP whitelisting
    >= 3.6.0, < 3.6.18, >= 4.0.0, < 4.0.15, >= 4.2.0, < 4.2.3, >= 4.3.0, < 4.3.3
  • MEDIUM5.3CVE-2021-20333Server log entry spoofing via newline injection
    >= 3.6.0, < 3.6.20, >= 4.0.0, < 4.0.21, >= 4.2.0, < 4.2.10
  • MEDIUM4.9CVE-2025-6711Incomplete Redaction of Sensitive Information in MongoDB Server Logs
    >= 6.0.0, < 6.0.21, >= 7.0.0, < 7.0.18, >= 8.0.0, < 8.0.5
  • CVE-2026-8336Post-authentication use-after-free error in $_internalJsEmit and mapreduce commands
    >= 8.2.0, < 8.2.9, >= 8.3.0, < 8.3.2
  • CVE-2026-8202Post-authentication CPU utilization DoS via $trim/$ltrim/$rtrim operators
    >= 7.0.0, < 7.0.34, >= 8.0.0, < 8.0.23, >= 8.2.0, < 8.2.9, >= 8.3.0, < 8.3.2
  • CVE-2026-8200Schema validation log messages may not redact user data
    >= 7.0.0, < 7.0.34, >= 8.0.0, < 8.0.23, >= 8.2.0, < 8.2.9, >= 8.3.0, < 8.3.2
  • CVE-2026-8053FlatBSON Duplicate Field Index Drift
    >= 5.0.0, < 5.0.33, >= 6.0.0, < 6.0.28, >= 7.0.0, < 7.0.34, >= 8.0.0, < 8.0.23, >= 8.2.0, < 8.2.9, >= 8.3.0, < 8.3.2
  • CVE-2026-8201Use-After-Free in MongoDB FLE Query Analysis When Processing Positional Projections on Encrypted Fields
    >= 7.0.0, < 7.0.34, >= 8.0.0, < 8.0.23, >= 8.2.0, < 8.2.9, >= 8.3.0, < 8.3.2
  • CVE-2026-8199Post-auth memory exhaustion via bitwise match expressions
    >= 7.0.0, < 7.0.34, >= 8.0.0, < 8.0.23, >= 8.2.0, < 8.2.9, >= 8.3.0, < 8.3.2
  • CVE-2026-4148ExpressionContext use-after-free in classic engine $lookup and $graphLookup aggregation operators
    >= 7.0.0, < 7.0.31, >= 8.0.0, < 8.0.20, >= 8.2.0, < 8.2.6, >= 8.3.0, < 8.3.1
  • CVE-2026-4147Stack memory disclosure in filemd5 command
    >= 7.0.0, < 7.0.31, >= 8.0.0, < 8.0.20, >= 8.2.0, < 8.2.6, >= 8.3.0, < 8.3.1
  • CVE-2025-14345Cross-Shard Failovers May Lead to Partial Transaction Commit in MongoDB Server
    >= 7.0.0, < 7.0.26, >= 8.0.0, < 8.0.16, >= 8.2.0, < 8.2.2, >= 8.3.0, < 8.3.1
  • CVE-2026-8063Post-auth null pointer dereference when aggregating against a view with empty search pipeline
    >= 8.2.0, < 8.2.7
  • CVE-2026-6915Flaw in the updateUser Command May Allow Unauthorized Configuration Change
    >= 7.0.0, < 7.0.32, >= 8.0.0, < 8.0.21, >= 8.2.0, < 8.2.7
  • CVE-2026-6914MD5 checksum creation may cause availability loss
    >= 7.0.0, < 7.0.32, >= 8.0.0, < 8.0.21, >= 8.1.0, < 8.2.7
  • CVE-2026-5170Users could trigger a crash of mongod primaries during promotion to sharded
    >= 7.0.0, < 7.0.31, >= 8.0.0, < 8.0.18, >= 8.2.0, < 8.2.2
  • CVE-2026-4358Memory safety issues in slot-based execution hash table spill
    >= 7.0.0, < 7.0.31, >= 8.0.0, < 8.0.20, >= 8.2.0, < 8.2.6
  • CVE-2026-25613An unsafe cast in the MongoDB query planner can result in a segmentation fault.
    >= 7.0.0, < 7.0.29, >= 8.0.0, < 8.0.18, >= 8.2.0, < 8.2.4
  • CVE-2026-25610Invalid $geoNear index hint may cause server crash
    >= 7.0.0, < 7.0.29, >= 8.0.0, < 8.0.13
  • CVE-2026-25609profile command may permit unauthorized configuration
    >= 7.0.0, < 7.0.29, >= 8.0.0, < 8.0.18, >= 8.2.0, < 8.2.4
  • CVE-2026-1850An authorized user may disable the MongoDB server by issuing a certain type of complex query due to boolean expression simplification
    >= 8.0.0, < 8.0.18, >= 8.2.0, < 8.2.4
  • CVE-2026-1849Mongod can run out of stack memory when expressions create deeply nested documents
    >= 7.0.0, < 7.0.29, >= 8.0.0, < 8.0.18, >= 8.2.0, < 8.2.2
  • CVE-2026-1848Connections received from the proxy port may not count towards total accepted connections
    >= 7.0.0, < 7.0.29, >= 8.0.0, < 8.0.18, >= 8.2.0, < 8.2.4
  • CVE-2026-1847MongoDB Server may crash when inserting large documents
    >= 7.0.0, < 7.0.29, >= 8.0.0, < 8.0.18, >= 8.2.0, < 8.2.4
  • CVE-2025-12657Malformed KMIP response may result in access violation
    >= 6.0.0, < 7.0.22, >= 8.0.0, < 8.0.10
  • CVE-2025-13644MongoDB may be susceptible to Invariant Failure due to batched delete
    >= 7.0.0, < 7.0.26, >= 8.0.0, < 8.0.13, >= 8.1.0, < 8.1.2
  • CVE-2025-13643MongoDB Server may allow queries to be terminated by unauthorized users
    >= 7.0.0, < 7.0.26, >= 8.0.0, < 8.0.14
  • CVE-2025-13507Time-series operations may cause internal BSON size limit to be exceed
    >= 7.0.0, < 7.0.26, >= 8.0.0, < 8.0.16, >= 8.2.0, < 8.2.1
  • CVE-2025-12893Improper Certificate Validation May Allow Successful TLS Handshaking Despite Invalid Extended Key Usage Fields in MongoDB Server
    >= 7.0.0, < 7.0.26, >= 8.0.0, < 8.0.16, >= 8.2.0, < 8.2.2