{"id":"CVE-2025-12657","details":"The KMIP response parser built into mongo binaries is overly tolerant of certain malformed packets, and may parse them into invalid objects. Later reads of this object can result in read access violations.","aliases":["BIT-mongodb-2025-12657"],"modified":"2026-03-12T17:36:32.782102Z","published":"2025-11-03T21:18:50.400Z","references":[{"type":"ADVISORY","url":"https://jira.mongodb.org/browse/SERVER-101230"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mongodb/mongo","events":[{"introduced":"e61bf27c2f6a83fed36e5a13c008a32d563babe2"},{"fixed":"dacdbc3df2fbe579b03336a2f01fc9aedf406a41"},{"introduced":"b41cda4fe697dce6fd9b83b3805362ccc02fbeb3"},{"fixed":"a25a91f17ac7d38e530defb84840cef26964f0bd"}],"database_specific":{"versions":[{"introduced":"6.0.0"},{"fixed":"7.0.22"},{"introduced":"8.0.0"},{"fixed":"8.0.10"}]}}],"versions":["r8.0.0","r8.0.1","r8.0.1-rc0","r8.0.2","r8.0.3","r8.0.4","r8.0.4-rc0","r8.0.5","r8.0.5-rc0","r8.0.5-rc1","r8.0.5-rc2","r8.0.6"],"database_specific":{"vanir_signatures":[{"target":{"file":"src/mongo/db/query/canonical_query_test.cpp","function":"TEST"},"signature_version":"v1","signature_type":"Function","source":"https://github.com/mongodb/mongo/commit/dacdbc3df2fbe579b03336a2f01fc9aedf406a41","deprecated":false,"id":"CVE-2025-12657-09cc0615","digest":{"length":222,"function_hash":"170810567694619582218325827979320844819"}},{"target":{"file":"src/mongo/db/query/get_executor.cpp"},"signature_version":"v1","signature_type":"Line","source":"https://github.com/mongodb/mongo/commit/dacdbc3df2fbe579b03336a2f01fc9aedf406a41","deprecated":false,"id":"CVE-2025-12657-28057e63","digest":{"threshold":0.9,"line_hashes":["13236081645074493115127001406131911299","32815437550975849390738133222164712455","97250326467089322403696436759510875041","130220526898473437428672593103114463037"]}},{"target":{"file":"src/mongo/db/query/query_planner_tree_test.cpp","function":"TEST_F"},"signature_version":"v1","signature_type":"Function","source":"https://github.com/mongodb/mongo/commit/dacdbc3df2fbe579b03336a2f01fc9aedf406a41","deprecated":false,"id":"CVE-2025-12657-35dd40fb","digest":{"length":392,"function_hash":"91660256789222474456476205099263621914"}},{"target":{"file":"src/mongo/db/query/canonical_query.h"},"signature_version":"v1","signature_type":"Line","source":"https://github.com/mongodb/mongo/commit/dacdbc3df2fbe579b03336a2f01fc9aedf406a41","deprecated":false,"id":"CVE-2025-12657-4d96a211","digest":{"threshold":0.9,"line_hashes":["259041850611534104466084886859312154654","209571827967119472844100407222830729771","221652195236482708432158039780313247440"]}},{"target":{"file":"src/mongo/transport/asio/asio_session_impl.cpp"},"signature_version":"v1","signature_type":"Line","source":"https://github.com/mongodb/mongo/commit/a25a91f17ac7d38e530defb84840cef26964f0bd","deprecated":false,"id":"CVE-2025-12657-506fa5cb","digest":{"threshold":0.9,"line_hashes":["282765062060540820013904249999369091735","300291622994495336463358897248157878965","171295154459370418954909748630098851460","264717989889958699510278395341009123178","286921937843054147385921250452426071137","212177683335443537294930353787718564470","154072217225560505992627186916787245632","339038656703438971026792802796071385997"]}},{"target":{"file":"src/mongo/transport/asio/asio_session_impl.cpp","function":"CommonAsioSession::isLoadBalancerPeer"},"signature_version":"v1","signature_type":"Function","source":"https://github.com/mongodb/mongo/commit/a25a91f17ac7d38e530defb84840cef26964f0bd","deprecated":false,"id":"CVE-2025-12657-aa314a9d","digest":{"length":88,"function_hash":"156090998067393006199077392588973597889"}},{"target":{"file":"src/mongo/db/query/canonical_query_test.cpp","function":"TEST"},"signature_version":"v1","signature_type":"Function","source":"https://github.com/mongodb/mongo/commit/dacdbc3df2fbe579b03336a2f01fc9aedf406a41","deprecated":false,"id":"CVE-2025-12657-b4300cd3","digest":{"length":121,"function_hash":"179129717886469733075672751986633638480"}},{"target":{"file":"src/mongo/db/query/canonical_query_encoder_test.cpp"},"signature_version":"v1","signature_type":"Line","source":"https://github.com/mongodb/mongo/commit/dacdbc3df2fbe579b03336a2f01fc9aedf406a41","deprecated":false,"id":"CVE-2025-12657-c4902ad9","digest":{"threshold":0.9,"line_hashes":["55836396164299393863275218643947047121","247898015159499049520840962143521581548","23538965146590376039815961727495063309","73893154509656724043861091875594038976"]}},{"target":{"file":"src/mongo/db/query/canonical_query.cpp"},"signature_version":"v1","signature_type":"Line","source":"https://github.com/mongodb/mongo/commit/dacdbc3df2fbe579b03336a2f01fc9aedf406a41","deprecated":false,"id":"CVE-2025-12657-e110b1d7","digest":{"threshold":0.9,"line_hashes":["80902743015685727946894915990527748965","176949779465539464536476382397679852955","138011484810510969231374758577969819287","213412792009456961805509708886495972031","108030136181449000469460296639111922283","259216495627230221219155342714306677591","248422617507567503859301171305254340460","245172356663580774147851102062929329842","7994405613649427159682553495468608834","305257036493543719456646007101986473421","208303643772143893856671318066682687209","199288333105912257288505536857893054571","130816849182030429263138698125736179179","3803095995514920701987929798503187434","331120441307678997525871227890531343653","4014394743506684706307958354607111043","145785154675042814859234771874744716077","300795417569439173402529912154615822191","112765197846815209255450283462700714039","285473019838526984620851944074290052422"]}},{"target":{"file":"src/mongo/db/query/canonical_query_test.cpp"},"signature_version":"v1","signature_type":"Line","source":"https://github.com/mongodb/mongo/commit/dacdbc3df2fbe579b03336a2f01fc9aedf406a41","deprecated":false,"id":"CVE-2025-12657-eb949776","digest":{"threshold":0.9,"line_hashes":["319155624397254202599116224418532377270","320519262511008027629451689690475781923","208462697800841384490668256992285694018","213346500170575268019869843214449743933","247019561929076384094690448831332001219","91764808502864669515496362977122693840","258830790253090992989549304973920386937","51852030045595014727650341916501865161","140711571707803073313743064961857373733","249806296299264674804490985719791734340","204374830227116296807761629752258449460"]}},{"target":{"file":"src/mongo/db/query/query_planner_tree_test.cpp"},"signature_version":"v1","signature_type":"Line","source":"https://github.com/mongodb/mongo/commit/dacdbc3df2fbe579b03336a2f01fc9aedf406a41","deprecated":false,"id":"CVE-2025-12657-fa8a5c8b","digest":{"threshold":0.9,"line_hashes":["250624715087004535328972305640756178805","148536438517875864651429272475526442940","165014192351556472067212166349818389903","49068151080804240088294744416265804817","287242365717231291471612982454676213701","323584313059038749367409677271617447863","86121875653440403020767995825324230918","86345351477897519473606718549341170251","291880075665522310213812374355336024030","9791660833690490751516611827213350840","303693624070357428057007922409213264272"]}}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-12657.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H"}]}