CVE-2025-10059: 
MongoDB vulnerability analysis and mitigation

An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers. This vulnerability (CVE-2025-10059) occurs when a generic argument (lsid) is provided in a case when it is not applicable. The vulnerability affects MongoDB Server v6.0 versions prior to 6.0.x, MongoDB Server v7.0 versions prior to 7.0.18, and MongoDB Server v8.0 versions prior to 8.0.6 (NVD).

The vulnerability stems from an invariant on a matching uid in the lsid of the opCtx and command request in shardingtaskexecutor.cpp. This issue has led to several application failures involving server crashes. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility with low attack complexity and requiring low privileges (NVD, MongoDB Jira).

When exploited, this vulnerability can cause MongoDB routers to crash, potentially disrupting database operations. The issue specifically affects the server's ability to handle sharded queries when certain lsid configurations are present (NVD).

The issue has been addressed in MongoDB Server versions 6.0.x, 7.0.18, and 8.0.6. The fix involves relaxing the user digest invariant to a tassert in the ShardingTaskExecutor and implementing proper caching of the lsid value when constructing the AsyncResultsManager (MongoDB Jira, MongoDB Jira).