How ZeroPath Works
Back to Blog

MongoDB CVE-2025-6713: Unauthorized Data Access via $mergeCursors Exploit Explained

A critical vulnerability in MongoDB's aggregation pipeline ($mergeCursors stage) enables unauthorized data access, impacting MongoDB Server versions prior to 8.0.7, 7.0.20, and 6.0.22.
CVE Analysis

6 min read

ZeroPath Security Research

ZeroPath Security Research

2025-07-07

MongoDB CVE-2025-6713: Unauthorized Data Access via $mergeCursors Exploit Explained

MongoDB CVE-2025-6713: Unauthorized Data Access via $mergeCursors Exploit Explained

Introduction

MongoDB, a leading NoSQL database platform, faces a critical security vulnerability (CVE-2025-6713) that could compromise data confidentiality across countless deployments. The flaw specifically targets the $mergeCursors stage within MongoDB's aggregation pipeline, potentially allowing unauthorized users to bypass access controls and gain sensitive data access.

Technical Information

The vulnerability is rooted in MongoDB's aggregation framework, particularly the $mergeCursors stage, which merges query results from multiple shards. Due to improper authorization handling, attackers can exploit this stage using specially crafted aggregation pipelines to bypass role-based access controls (RBAC). The issue arises from MongoDB's internal optimization logic, which caches authorization contexts improperly during distributed query execution. This oversight allows unauthorized data retrieval, violating the principle of least privilege.

An attacker with minimal privileges can exploit this vulnerability by crafting a pipeline such as:

[
  { $match: { sensitiveField: { $exists: true } } },
  { $mergeCursors: { /* malicious configuration */ } }
]

This pipeline manipulates cursor handling to bypass collection-level permission checks, exploiting the lack of re-validation of permissions at the cursor-merging phase.

Affected Systems and Versions

The following MongoDB Server versions are specifically vulnerable:

  • MongoDB Server v8.0 versions prior to 8.0.7
  • MongoDB Server v7.0 versions prior to 7.0.20
  • MongoDB Server v6.0 versions prior to 6.0.22

Vendor Security History

MongoDB Inc. has a solid track record of addressing vulnerabilities promptly. Previous vulnerabilities, such as CVE-2024-7553 and CVE-2025-6710, were addressed swiftly, demonstrating the vendor's commitment to security. MongoDB regularly publishes security bulletins and maintains a consistent patch release schedule, reflecting a mature security response process.

References

Organizations using MongoDB should urgently apply the recommended patches and closely monitor their database operations to mitigate potential exploitation risks.

Source: This report was created using AI

If you have suggestions for improvement or feedback, please reach out to us at [email protected]

Detect & fix
what others miss

Get startedBook a demo