CVE-2025-10491: 
MongoDB vulnerability analysis and mitigation

The MongoDB Windows installation MSI contains a vulnerability (CVE-2025-10491) where Access Control Lists (ACLs) may remain unset on custom installation directories. This vulnerability affects MongoDB Server versions prior to 6.0.25, 7.0.21, and 8.0.5. The issue was discovered and disclosed on September 15, 2025 (NVD).

The vulnerability is classified as an Improper Access Control issue (CWE-284) that could allow DLL hijacking attacks. MongoDB has assigned this vulnerability a CVSS v3.1 base score of 7.8 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability requires local access, has low attack complexity, requires low privileges, needs no user interaction, and can potentially impact confidentiality, integrity, and availability with high severity (NVD).

If exploited, this vulnerability allows a local attacker to introduce executable code to MongoDB's process through DLL hijacking, potentially leading to complete compromise of the MongoDB server process with high impacts on confidentiality, integrity, and availability (NVD).

MongoDB has addressed this vulnerability in the following versions: MongoDB Server 6.0.25, MongoDB Server 7.0.21, and MongoDB Server 8.0.5. Users are advised to upgrade to these or later versions to mitigate the vulnerability (NVD).