{"id":"CVE-2025-3082","details":"A user authorized to access a view may be able to alter the intended collation, allowing them to access to a different or unintended view of underlying data. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.20, MongoDB Server v7.0 version prior to 7.0.14 and MongoDB Server v7.3 versions prior to 7.3.4.","aliases":["BIT-mongodb-2025-3082"],"modified":"2026-04-12T14:42:34.065212Z","published":"2025-04-01T11:15:39.517Z","references":[{"type":"REPORT","url":"https://jira.mongodb.org/browse/SERVER-103151"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mongodb/mongo","events":[{"introduced":"1184f004a99660de6f5e745573419bda8a28c0e9"},{"fixed":"e8c5dca807cdfef1c9b3141c4c2bcd613d9700e7"},{"introduced":"e61bf27c2f6a83fed36e5a13c008a32d563babe2"},{"fixed":"6b39fbde5c06d2b5ac027082217fb557673bd60d"},{"introduced":"37d84072b5c5b9fd723db5fa133fb202ad2317f1"},{"fixed":"1b488fa20bdc54915b89f3a6ef981742adbe8cb2"},{"introduced":"b4d4f7026332c345edc52f9687e509f74e95a0fb"},{"fixed":"81c102cee43550f6932367f668d766e39c60cffd"}],"database_specific":{"versions":[{"introduced":"5.0.0"},{"fixed":"5.0.31"},{"introduced":"6.0.0"},{"fixed":"6.0.20"},{"introduced":"7.0.0"},{"fixed":"7.0.14"},{"introduced":"7.3.0"},{"fixed":"7.3.4"}]}}],"versions":["r5.0.0","r5.0.1","r5.0.1-rc0","r5.0.10","r5.0.10-rc0","r5.0.11","r5.0.11-rc0","r5.0.11-rc1","r5.0.12","r5.0.12-rc0","r5.0.13","r5.0.13-rc0","r5.0.14","r5.0.14-rc0","r5.0.15","r5.0.15-rc0","r5.0.15-rc1","r5.0.15-rc2","r5.0.16","r5.0.16-rc0","r5.0.17","r5.0.17-rc0","r5.0.18","r5.0.18-rc0","r5.0.18-rc1","r5.0.18-rc2","r5.0.19","r5.0.19-rc0","r5.0.2","r5.0.2-rc0","r5.0.20","r5.0.20-rc0","r5.0.20-rc1","r5.0.21","r5.0.21-rc0","r5.0.22","r5.0.22-rc0","r5.0.22-rc1","r5.0.23","r5.0.23-rc0","r5.0.24","r5.0.24-rc0","r5.0.25","r5.0.25-rc0","r5.0.26","r5.0.26-rc0","r5.0.27","r5.0.27-rc0","r5.0.28","r5.0.28-rc0","r5.0.29","r5.0.29-rc0","r5.0.3","r5.0.3-rc0","r5.0.3-rc1","r5.0.3-rc2","r5.0.30","r5.0.31-rc0","r5.0.4","r5.0.4-rc0","r5.0.5","r5.0.5-rc0","r5.0.6","r5.0.6-rc0","r5.0.6-rc1","r5.0.6-rc2","r5.0.7","r5.0.7-rc0","r5.0.7-rc1","r5.0.8","r5.0.8-rc0","r5.0.9","r5.0.9-rc0","r5.0.9-rc1","r6.0.0","r6.0.1","r6.0.1-rc0","r6.0.10","r6.0.10-rc0","r6.0.11","r6.0.11-rc0","r6.0.12","r6.0.12-rc0","r6.0.12-rc1","r6.0.13","r6.0.13-rc0","r6.0.14","r6.0.14-rc0","r6.0.14-rc1","r6.0.15","r6.0.15-rc0","r6.0.16","r6.0.16-rc0","r6.0.17","r6.0.17-rc0","r6.0.18","r6.0.18-rc0","r6.0.19","r6.0.2","r6.0.2-rc0","r6.0.2-rc1","r6.0.20-rc0","r6.0.20-rc1","r6.0.20-rc2","r6.0.3","r6.0.3-rc0","r6.0.3-rc1","r6.0.3-rc2","r6.0.4","r6.0.4-rc0","r6.0.4-rc1","r6.0.5","r6.0.5-rc0","r6.0.5-rc1","r6.0.6","r6.0.6-rc0","r6.0.6-rc1","r6.0.7","r6.0.7-rc0","r6.0.8","r6.0.8-rc0","r6.0.9","r6.0.9-rc0","r6.0.9-rc1","r7.0.0","r7.0.1","r7.0.1-rc0","r7.0.10","r7.0.10-rc0","r7.0.11","r7.0.11-rc0","r7.0.11-rc1","r7.0.11-rc2","r7.0.12","r7.0.12-rc0","r7.0.12-rc1","r7.0.13","r7.0.13-rc0","r7.0.13-rc1","r7.0.2","r7.0.2-rc0","r7.0.2-rc1","r7.0.2-rc2","r7.0.3","r7.0.3-rc0","r7.0.3-rc1","r7.0.4","r7.0.4-rc0","r7.0.5","r7.0.5-rc0","r7.0.6","r7.0.6-rc0","r7.0.7","r7.0.7-rc0","r7.0.7-rc1","r7.0.7-rc2","r7.0.8","r7.0.8-rc0","r7.0.9","r7.0.9-rc0","r7.0.9-rc1","r7.3.0","r7.3.1","r7.3.1-rc0","r7.3.1-rc1","r7.3.1-rc2","r7.3.2","r7.3.2-rc0","r7.3.2-rc1","r7.3.3","r7.3.3-rc0","r7.3.4-rc0","r7.3.4-rc1"],"database_specific":{"vanir_signatures_modified":"2026-04-12T14:42:34Z","vanir_signatures":[{"deprecated":false,"signature_version":"v1","id":"CVE-2025-3082-37cd3957","target":{"file":"src/mongo/db/pipeline/document_source_unwind.cpp"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["111874932942046114223144494633221209129","256161905959451949254944526044843089200","256297468071740735162236456708360012742","235830183144559937999253149604957112306","333439315193046824989860925238314039277","67806875461468992500661772377747545565","315068057892469383161678055746093791167","163662512404082480371673185596467494915","305521259106150362239553553475319460417","237949536939246254356068982710758675285","233368596813223622005935141840143744284","249840967872087541426899006816657862039"]},"source":"https://github.com/mongodb/mongo/commit/6b39fbde5c06d2b5ac027082217fb557673bd60d"},{"deprecated":false,"signature_version":"v1","id":"CVE-2025-3082-68b5792a","target":{"file":"src/mongo/db/pipeline/document_source_unwind.cpp","function":"DocumentSourceUnwind::Unwinder::Unwinder"},"signature_type":"Function","digest":{"function_hash":"158583053690993594079961819885580517603","length":229},"source":"https://github.com/mongodb/mongo/commit/6b39fbde5c06d2b5ac027082217fb557673bd60d"},{"deprecated":false,"signature_version":"v1","id":"CVE-2025-3082-7b8b46be","target":{"file":"src/mongo/db/commands/list_collections.cpp"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["301870103497820413148681040654540305254","109461579742329986580414407415072276415","103535047316262997435395590132144754438","38842998314046113554393337485390801824","132337306073161130046903095527367563622","7164343108274904571523416685628470821","8433349432413735156480043012593625388"]},"source":"https://github.com/mongodb/mongo/commit/1b488fa20bdc54915b89f3a6ef981742adbe8cb2"},{"deprecated":false,"signature_version":"v1","id":"CVE-2025-3082-98e95ab3","target":{"file":"src/mongo/db/s/shard_server_op_observer.cpp","function":"ShardServerOpObserver::onCreateCollection"},"signature_type":"Function","digest":{"function_hash":"317059203157195173859428266013583839835","length":959},"source":"https://github.com/mongodb/mongo/commit/e8c5dca807cdfef1c9b3141c4c2bcd613d9700e7"},{"deprecated":false,"signature_version":"v1","id":"CVE-2025-3082-a50b1d1c","target":{"file":"src/mongo/db/s/shard_server_op_observer.cpp"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["338095024408874251521027627609623809923","19517780008182253857358285612128038534","95532667481650364120857114228697583222","224358683231941325215866037278555672552"]},"source":"https://github.com/mongodb/mongo/commit/e8c5dca807cdfef1c9b3141c4c2bcd613d9700e7"},{"deprecated":false,"signature_version":"v1","id":"CVE-2025-3082-c5867b8d","target":{"file":"src/mongo/db/pipeline/document_source_unwind_test.cpp"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["22086865423945277420463346282675410359","230789960585398782210326326319515422235","248302116163759668327706100034840776012"]},"source":"https://github.com/mongodb/mongo/commit/6b39fbde5c06d2b5ac027082217fb557673bd60d"},{"deprecated":false,"signature_version":"v1","id":"CVE-2025-3082-c61a0dde","target":{"file":"src/mongo/db/pipeline/document_source_unwind.cpp","function":"DocumentSourceUnwind::Unwinder::getNext"},"signature_type":"Function","digest":{"function_hash":"178158968249656320450514116893340795177","length":1055},"source":"https://github.com/mongodb/mongo/commit/6b39fbde5c06d2b5ac027082217fb557673bd60d"},{"deprecated":false,"signature_version":"v1","id":"CVE-2025-3082-e8342bcf","target":{"file":"src/mongo/db/pipeline/field_path.h"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["222656228999319984345615210932081431974","193954611145980170235708013613831262012","28258538037177236396132426160576990472","225632782582637378616067280143374015707","74892736587624400858128677358105557890","63274386290555953020237546162368808513"]},"source":"https://github.com/mongodb/mongo/commit/6b39fbde5c06d2b5ac027082217fb557673bd60d"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-3082.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}]}