Pre-Auth Flaw in MongoDB Server Allows Attackers to Cause DoS
A critical pre-authentication vulnerability (CVE-2025-6709) in MongoDB Server enables unauthenticated attackers to trigger denial-of-service (DoS) conditions by exploiting improper input validation in OIDC authentication.
The flaw allows malicious actors to crash database servers by sending specially crafted JSON payloads containing specific date values, causing invariant failures and server crashes.
This vulnerability affects MongoDB Server versions before 7.0.17, 8.0.5, and 6.0.21 (with authentication required for 6.x exploitation).
Vulnerability Analysis
Attackers can reproduce the exploit using MongoDB’s mongo shell to send malicious JSON payloads targeting the OIDC authentication mechanism.
The server fails to properly validate date values in JSON input, leading to:
- Complete server crashes without authentication in v7.0 and v8.0 deployments
- Post-authentication DoS in v6.0 environments
- Critical disruption of database operations through invariant failures
The vulnerability carries a CVSS score of 7.5 (High) due to its network-based attack vector, low attack complexity, and high availability impact.
MongoDB has classified this as CWE-20 (Improper Input Validation).
The OIDC flaw follows multiple security issues disclosed in MongoDB this year:
| CVE ID | Description | CVSS | Affected Versions | Fixed Versions |
| CVE-2025-6709 | Pre-auth DoS via OIDC date handling | 7.5 | v6.0 | 6.0.21/7.0.17/8.0.5 |
Mitigation and Updates
Administrators should immediately upgrade to patched versions:
- MongoDB v6.0 → 6.0.21 or later
- MongoDB v7.0 → 7.0.17 or later
- MongoDB v8.0 → 8.0.5 or later
For environments where immediate patching isn’t feasible, consider disabling OIDC authentication until updates are applied.
MongoDB has confirmed no known active exploits currently target this vulnerability, but proof-of-concept reproduction is confirmed via the mongo shell.
This vulnerability highlights persistent risks in database authentication mechanisms, particularly as enterprises increasingly adopt OIDC for cloud-native deployments.
The discovery follows multiple MongoDB vulnerabilities disclosed in 2025, including certificate validation bypasses (CVE-2025-3085) and unauthenticated DoS flaws (CVE-2025-3083).
Database administrators should prioritize patch cycles and monitor authentication logs for anomalous JSON payloads containing date objects.