CVE-2025-10059 is a medium-severity vulnerability affecting MongoDB Server versions 6.0 prior to 6.0.x, 7.0 prior to 7.0.18, and 8.0 prior to 8.0.6. The issue arises from improper permission assignment related to the lsid (logical session identifier) field in sharded queries. Specifically, when an lsid argument is provided in contexts where it is not applicable, it causes the MongoDB routers (mongos instances) to crash. This vulnerability is categorized under CWE-732, which involves incorrect permission assignment for critical resources, indicating that the system improperly handles permissions or validation of input parameters. The crash results in a denial of service (DoS) condition, impacting availability but not confidentiality or integrity. The CVSS v3.1 score is 6.5 (medium), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), no impact on confidentiality or integrity (C:N/I:N), but high impact on availability (A:H). No known exploits are reported in the wild yet. The vulnerability affects MongoDB routers in sharded cluster deployments, which are common in large-scale or distributed database environments. The root cause is the acceptance of an invalid or improperly validated lsid parameter, which leads to a crash, potentially disrupting database operations and service availability. Since MongoDB is widely used for critical applications, this vulnerability can cause significant operational disruptions if exploited or triggered accidentally.

For European organizations, the impact primarily concerns availability disruptions in environments using sharded MongoDB clusters. Organizations relying on MongoDB for critical applications, such as financial services, healthcare, e-commerce, and public sector services, may experience service outages or degraded performance due to router crashes. This can lead to downtime, loss of business continuity, and potential regulatory compliance issues related to service availability (e.g., GDPR mandates on data availability and integrity). Since the vulnerability requires low privileges but no user interaction, insider threats or compromised accounts with limited privileges could trigger the issue, increasing risk. The lack of confidentiality or integrity impact reduces the risk of data breaches but does not eliminate operational risks. European organizations with complex, distributed MongoDB deployments are particularly vulnerable to denial of service conditions that could affect multi-region or multi-datacenter operations.

1. Immediate patching: Organizations should prioritize upgrading MongoDB Server to versions 6.0.x or later, 7.0.18 or later, and 8.0.6 or later as soon as patches become available. 2. Access control: Restrict privileges to only trusted users and applications that can issue sharded queries, minimizing the risk of unauthorized or malformed lsid parameters. 3. Query validation: Implement application-layer validation to ensure that lsid parameters are only sent when applicable, preventing malformed queries from reaching the database. 4. Monitoring and alerting: Deploy monitoring on MongoDB router logs and metrics to detect abnormal crashes or restarts indicative of exploitation attempts. 5. Network segmentation: Isolate MongoDB routers within secure network segments to reduce exposure to untrusted networks and limit attack surface. 6. Incident response readiness: Prepare response plans for potential denial of service incidents affecting database availability, including failover and backup strategies. 7. Vendor communication: Maintain close contact with MongoDB Inc for updates, patches, and advisories related to this vulnerability.