CVE-2025-10061: 
MongoDB vulnerability analysis and mitigation

A vulnerability in MongoDB Server (CVE-2025-10061) was discovered that allows an authorized user to cause a crash through a specially crafted $group query. The vulnerability stems from incorrect handling of certain accumulator functions when additional parameters are specified within the $group operation. This issue affects MongoDB Server versions 6.0 (prior to 6.0.25), 7.0 (prior to 7.0.22), 8.0 (prior to 8.0.12), and 8.1 (prior to 8.1.2) (MongoDB NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified under CWE-20 (Improper Input Validation) according to MongoDB's assessment. The issue specifically relates to the handling of accumulator functions within $group operations, where certain parameter configurations can trigger a system crash (MongoDB NVD).

When exploited, this vulnerability can lead to denial of service if triggered repeatedly. The impact is limited to system availability, with no direct effect on confidentiality or integrity of the data (MongoDB NVD).

MongoDB has released patched versions to address this vulnerability. Users should upgrade to MongoDB Server version 6.0.25, 7.0.22, 8.0.12, or 8.1.2 depending on their current version track (MongoDB NVD).