CVE-2025-14345

Description

A post-authentication flaw in the network two-phase commit protocol used for cross-shard transactions in MongoDB Server may lead to logical data inconsistencies under specific conditions which are not predictable and exist for a very short period of time. This error can cause the transaction coordination logic to misinterpret the transaction as committed, resulting in inconsistent state on those shards. This may lead to low integrity and availability impact. This issue impacts MongoDB Server v8.0 versions prior to 8.0.16, MongoDB Server v7.0 versions prior to 7.0.26 and MongoDB server v8.2 versions prior to 8.2.2.

CVSS v3.1 Score

4.2

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Weakness Type (CWE)

CWE-667 CWE-667

Affected Products

Vendor	Product	Versions
mongodb	mongodb	7.0.0 — 7.0.26
mongodb	mongodb	8.0.0 — 8.0.16
mongodb	mongodb	8.2.0 — 8.2.2
mongodb	mongodb	All

References

Advisories & Patches

https://jira.mongodb.org/browse/SERVER-106075

Frequently Asked Questions

What is CVE-2025-14345? +

A post-authentication flaw in the network two-phase commit protocol used for cross-shard transactions in MongoDB Server may lead to logical data inconsistencies under specific conditions which are not predictable and exist for a very short period of time. This error can cause the transaction coordination logic to misinterpret the transaction as committed, resulting in inconsistent state on those shards. This may lead to low integrity and availability impact. This issue impacts MongoDB Server v8.0 versions prior to 8.0.16, MongoDB Server v7.0 versions prior to 7.0.26 and MongoDB server v8.2 versions prior to 8.2.2. It has a CVSS v3.1 base score of 4.2 (MEDIUM).

How severe is CVE-2025-14345? +

CVE-2025-14345 has a CVSS v3.1 score of 4.2 out of 10, rated MEDIUM. This is a medium-severity vulnerability that should be remediated as part of regular maintenance.

What products are affected by CVE-2025-14345? +

CVE-2025-14345 affects products from mongodb, specifically: mongodb. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2025-14345? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-1221

A Zigbee Radio Co-Processor (RCP), which is using SiLabs EmberZNet Zigbee stack, was unable to send messages to the host …

CVE-2025-10151

Improper locking vulnerability in Softing Industrial Automation GmbH gateways allows infected memory and/or resource leak exposure.This issue affects smartLink HW-PN: …

CVE-2026-43215 8.8

In the Linux kernel, the following vulnerability has been resolved: cifs: Fix locking usage for tcon fields We used to …

CVE-2026-31629 8.8

In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: add missing return after LLCP_CLOSED checks In nfc_llcp_recv_hdlc() …

CVE-2021-22530 8.2

A vulnerability identified in NetIQ Advance Authentication that doesn't enforce account lockout when brute force attack is performed on API …

CVE-2024-58087 8.1

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix racy issue from session lookup and expire Increment …