CVE-2025-13644 is a vulnerability classified under CWE-617 (Reachable Assertion) affecting MongoDB Server versions 7.0 prior to 7.0.26, 8.0 prior to 8.0.13, and 8.1 prior to 8.1.2. The issue arises during batched delete operations when the server processes documents. Specifically, the server incorrectly infers the presence of multiple documents in a batch based solely on the document size exceeding the BSONObjMaxSize limit. This faulty assumption leads to an invariant failure, triggering an assertion that causes the MongoDB server process to crash. The vulnerability is remotely exploitable over the network by an authenticated user with delete privileges, without requiring user interaction. The impact is a denial of service (DoS) condition due to server unavailability. The CVSS v3.1 score is 6.5 (medium severity), reflecting the ease of exploitation and the significant availability impact, but no confidentiality or integrity loss. No public exploits or active exploitation have been reported as of the publication date. The vulnerability affects widely used MongoDB versions deployed in many enterprise environments, especially those using batched delete operations on large documents. The root cause is a logic flaw in the batch processing code related to document size checks and assumptions about batch composition, leading to a reachable assertion failure.

For European organizations, this vulnerability primarily poses a risk of denial of service, potentially disrupting applications and services relying on MongoDB databases. Organizations with high availability requirements, such as financial institutions, healthcare providers, and critical infrastructure operators, could experience service outages impacting business continuity. Although the vulnerability does not compromise data confidentiality or integrity, the resulting downtime could lead to operational delays, customer dissatisfaction, and regulatory scrutiny under frameworks like GDPR if service disruptions affect data processing obligations. The requirement for authenticated delete privileges limits exploitation to insiders or compromised accounts, but insider threats or attackers who gain such access could trigger the crash. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time. Organizations using batched delete operations on large documents are at higher risk, as this triggers the assertion failure. Overall, the impact is availability degradation with potential cascading effects on dependent services and users.

The primary mitigation is to upgrade MongoDB Server to the fixed versions: 7.0.26 or later, 8.0.13 or later, or 8.1.2 or later. Organizations should prioritize patching environments where batched delete operations on large documents are common. Additionally, review and restrict delete privileges to minimize the number of users or applications that can perform such operations, reducing the attack surface. Implement monitoring and alerting for MongoDB server crashes or abnormal restarts to detect exploitation attempts early. Consider isolating MongoDB instances behind firewalls and enforcing strong authentication and authorization controls to prevent unauthorized access. Conduct audits of batched delete usage patterns to identify and refactor queries that may trigger the vulnerability. In environments where immediate patching is not feasible, temporarily disabling batched delete operations or limiting document sizes may reduce risk. Finally, maintain regular backups and disaster recovery plans to restore service quickly if a denial of service occurs.