{"id":"CVE-2025-14345","details":"A post-authentication flaw in the network two-phase commit protocol used for cross-shard transactions in MongoDB Server may lead to logical data inconsistencies under specific conditions which are not predictable and exist for a very short period of time. This error can cause the transaction coordination logic to misinterpret the transaction as committed, resulting in inconsistent state on those shards. This may lead to low integrity and availability impact.\n\nThis issue impacts MongoDB Server v8.0 versions prior to 8.0.16, MongoDB Server v7.0 versions prior to 7.0.26 and MongoDB server v8.2 versions prior to 8.2.2.","aliases":["BIT-mongodb-2025-14345"],"modified":"2026-04-12T17:59:00.870354Z","published":"2025-12-09T16:17:41.153Z","references":[{"type":"ADVISORY","url":"https://jira.mongodb.org/browse/SERVER-106075"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mongodb/mongo","events":[{"introduced":"37d84072b5c5b9fd723db5fa133fb202ad2317f1"},{"fixed":"cfe96f2560c2000d837880f3e49086bed560abec"},{"introduced":"b41cda4fe697dce6fd9b83b3805362ccc02fbeb3"},{"fixed":"6649991c993da79c269e52beec51274bf53fbb98"},{"introduced":"b993867dce63dd366cd93e60f3f425ed716f6497"},{"fixed":"d4511d28ec0c73f0c476027a943c0176c8a16f02"},{"introduced":"0"},{"last_affected":"f363edefb03efa1e3e012d90aea1494c7770e8cc"}],"database_specific":{"versions":[{"introduced":"7.0.0"},{"fixed":"7.0.26"},{"introduced":"8.0.0"},{"fixed":"8.0.16"},{"introduced":"8.2.0"},{"fixed":"8.2.2"},{"introduced":"0"},{"last_affected":"8.3.0-alpha0"}]}}],"versions":["0.9.1","1.7-cut","r0.0.3","r0.0.4_rc1","r0.0.6_rc1","r0.0.7_rc1","r0.0.7_rc2","r0.0.7_rc3","r0.0.7_rc4","r0.0.9_rc1","r0.1.0_rc1","r0.1.2_rc1","r0.1.3_rc1","r0.1.4_rc1","r0.1.5_rc1","r0.1.6_rc1","r0.2.1","r0.9.1","r0.9.10","r0.9.5","r0.9.6","r0.9.8","r0.9.9","r1.1.1","r1.1.3","r1.3.0","r1.3.4","r1.5.0","r1.5.1","r1.5.2","r1.5.5","r1.5.6","r1.7.5","r1.7.6","r1.8.0-rc0","r2.1.1","r2.1.2","r2.2.0-rc0","r2.3.1","r2.3.2","r2.4.0-rc0","r2.4.0-rc1","r2.4.0-rc2","r2.4.0.rc1","r2.5.1","r2.5.2","r2.5.3","r2.5.4","r2.5.5","r2.6.0-rc0","r2.6.0-rc1","r2.7.0","r2.7.1","r2.7.2","r2.7.3","r2.7.4","r2.7.5","r2.7.6","r2.7.7","r2.7.8","r2.8.0-rc0","r2.8.0-rc1","r2.8.0-rc2","r2.8.0-rc3","r2.8.0-rc4","r2.8.0-rc5","r3.1.0","r3.1.1","r3.1.2","r3.1.3","r3.1.4","r3.1.5","r3.1.6","r3.1.7","r3.1.8","r3.1.9","r3.2.0","r3.2.0-rc0","r3.2.0-rc1","r3.2.0-rc2","r3.2.0-rc3","r3.2.0-rc4","r3.2.0-rc5","r3.2.0-rc6","r3.3.0","r3.3.1","r3.3.10","r3.3.11","r3.3.12","r3.3.13","r3.3.14","r3.3.15","r3.3.2","r3.3.3","r3.3.4","r3.3.5","r3.3.6","r3.3.7","r3.3.8","r3.3.9","r3.4.0-rc0","r3.4.0-rc1","r3.4.0-rc2","r3.4.0-rc3","r3.5.0","r3.5.1","r3.5.10","r3.5.11","r3.5.12","r3.5.13","r3.5.2","r3.5.3","r3.5.4","r3.5.5","r3.5.6","r3.5.7","r3.5.8","r3.5.9","r3.6.0-rc0","r3.6.0-rc1","r3.6.0-rc2","r3.6.0-rc3","r3.6.0-rc4","r3.7.0","r3.7.1","r3.7.2","r3.7.3","r3.7.4","r3.7.5","r3.7.6","r3.7.7","r3.7.8","r3.7.9","r4.0.0-rc0","r4.1.0","r4.1.1","r4.1.10","r4.1.11","r4.1.12","r4.1.13","r4.1.2","r4.1.3","r4.1.4","r4.1.5","r4.1.6","r4.1.7","r4.1.8","r4.1.9","r4.3.0","r4.3.1","r4.3.2","r4.3.3","r4.3.4","r4.5.0","r4.8.0-alpha","r4.9.0-alpha","r4.9.0-alpha0","r4.9.0-alpha1","r4.9.0-alpha2","r4.9.0-alpha3","r4.9.0-alpha4","r4.9.0-alpha5","r4.9.0-alpha6","r4.9.0-alpha7","r5.0.0-alpha","r5.0.0-alpha0","r5.1.0-alpha","r5.2.0-alpha","r5.3.0-alpha","r5.3.0-alpha0","r5.3.0-alpha1","r5.3.0-alpha2","r5.3.0-alpha3","r5.3.0-alpha4","r6.0.0-alpha","r6.0.0-alpha0","r6.0.0-alpha1","r6.1.0-alpha","r6.2.0-alpha","r6.3.0-alpha","r6.3.0-alpha0","r6.3.0-rc0","r7.0.0","r7.0.0-alpha","r7.0.0-alpha0","r7.0.1","r7.0.1-rc0","r7.0.10","r7.0.10-rc0","r7.0.11","r7.0.11-rc0","r7.0.11-rc1","r7.0.11-rc2","r7.0.12","r7.0.12-rc0","r7.0.12-rc1","r7.0.13","r7.0.13-rc0","r7.0.13-rc1","r7.0.14","r7.0.14-rc0","r7.0.15","r7.0.15-rc0","r7.0.15-rc1","r7.0.16","r7.0.16-rc0","r7.0.16-rc1","r7.0.17","r7.0.18","r7.0.2","r7.0.2-rc0","r7.0.2-rc1","r7.0.2-rc2","r7.0.21","r7.0.21-alpha0","r7.0.21-rc0","r7.0.22","r7.0.22-rc0","r7.0.23","r7.0.23-rc0","r7.0.23-rc1","r7.0.24","r7.0.24-rc0","r7.0.25-alpha0","r7.0.3","r7.0.3-rc0","r7.0.3-rc1","r7.0.4","r7.0.4-rc0","r7.0.5","r7.0.5-rc0","r7.0.6","r7.0.6-rc0","r7.0.7","r7.0.7-rc0","r7.0.7-rc1","r7.0.7-rc2","r7.0.8","r7.0.8-rc0","r7.0.9","r7.0.9-rc0","r7.0.9-rc1","r7.1.0-alpha","r7.1.0-alpha0","r7.2.0-alpha","r7.2.0-alpha0","r7.3.0-alpha","r7.3.0-alpha0","r7.3.0-alpha1","r7.3.0-rc0","r8.0.0","r8.0.0-alpha","r8.0.0-alpha0","r8.0.0-alpha1","r8.0.0-alpha2","r8.0.1","r8.0.1-rc0","r8.0.10","r8.0.10-rc0","r8.0.12","r8.0.12-rc0","r8.0.13","r8.0.13-rc0","r8.0.13-rc1","r8.0.13-rc2","r8.0.14","r8.0.14-rc0","r8.0.14-rc1","r8.0.16-rc0","r8.0.2","r8.0.3","r8.0.4","r8.0.4-rc0","r8.0.5","r8.0.5-rc0","r8.0.5-rc1","r8.0.5-rc2","r8.0.6","r8.1.0-alpha","r8.1.0-alpha0","r8.1.0-alpha1","r8.1.0-alpha2","r8.1.0-alpha3","r8.2.0","r8.2.0-alpha","r8.2.0-alpha0","r8.2.0-alpha1","r8.2.0-alpha2","r8.2.0-rc0","r8.2.1","r8.2.1-rc0","r8.2.1-rc1","r8.3.0-alpha0"],"database_specific":{"vanir_signatures":[{"digest":{"function_hash":"169396510644917166107972285471505278925","length":5523},"signature_version":"v1","deprecated":false,"id":"CVE-2025-14345-0d7700d5","target":{"function":"validatePeerCertificate","file":"src/mongo/util/net/ssl_manager_windows.cpp"},"signature_type":"Function","source":"https://github.com/mongodb/mongo/commit/cfe96f2560c2000d837880f3e49086bed560abec"},{"digest":{"threshold":0.9,"line_hashes":["255094620203238166973302767875286180987","311318788437859314187108745684874069447","13195629967762718487111799273423913192","145659902616350294817239749199959363992","221972074441494021565962355714822796262","48835208987546656192845547932509644477","87708939807646049295739831013123777386","10193593850898967193818537886210518552","331231889353555350497810337678926637920","152234860073312542299676805758359870241"]},"signature_version":"v1","deprecated":false,"id":"CVE-2025-14345-1ac5af1d","target":{"file":"src/mongo/util/net/ssl_manager_windows.cpp"},"signature_type":"Line","source":"https://github.com/mongodb/mongo/commit/cfe96f2560c2000d837880f3e49086bed560abec"},{"digest":{"threshold":0.9,"line_hashes":["52207717764756858887103230689427858974","241284099896496899084843301553798842386","81015194422365157642401834775353309989","306832239360780013917147226125039650941"]},"signature_version":"v1","deprecated":false,"id":"CVE-2025-14345-5d8a373e","target":{"file":"src/mongo/util/net/ssl_manager_apple.cpp"},"signature_type":"Line","source":"https://github.com/mongodb/mongo/commit/cfe96f2560c2000d837880f3e49086bed560abec"},{"digest":{"function_hash":"60854262378866240810463600752329606435","length":715},"signature_version":"v1","deprecated":false,"id":"CVE-2025-14345-a2bd2a3d","target":{"function":"CreateSecTrustPolicies","file":"src/mongo/util/net/ssl_manager_apple.cpp"},"signature_type":"Function","source":"https://github.com/mongodb/mongo/commit/cfe96f2560c2000d837880f3e49086bed560abec"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-14345.json","vanir_signatures_modified":"2026-04-12T17:59:00Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"}]}