CVE-2025-11695: 
MongoDB vulnerability analysis and mitigation

A security vulnerability (CVE-2025-11695) was discovered in MongoDB Rust Driver versions prior to v3.2.5. The vulnerability occurs when tlsInsecure=False appears in a connection string, which unexpectedly disables certificate validation instead of enforcing it (MongoDB Advisory, NVD).

The vulnerability exists in the MongoDB Rust driver's connection string parsing logic, specifically in the ConnectionString::parse method located in src/client/options.rs. When a user specifies tlsInsecure=false in the connection URI, the driver incorrectly interprets this as a request to disable TLS certificate validation due to a logical flaw in the boolean value interpretation. The vulnerability has been assigned a CVSS v3.1 base score of 8.0 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N and is categorized as CWE-295 (Improper Certificate Validation) (Miggo, NVD).

The vulnerability exposes encrypted TLS traffic to potential man-in-the-middle attacks by disabling certificate validation when users explicitly attempt to enable security measures. This could lead to unauthorized access to sensitive data and potential manipulation of encrypted communications (Miggo).

The vulnerability has been patched in MongoDB Rust Driver version 3.2.5. Users should upgrade to this version or later to resolve the issue. The fix corrects the boolean value interpretation of tlsInsecure to properly configure allow_invalid_certificates and allow_invalid_hostnames (Miggo).