CVE-2025-3085: 
MongoDB vulnerability analysis and mitigation

A MongoDB server vulnerability (CVE-2025-3085) was discovered affecting Linux systems with TLS and CRL revocation status checking enabled. The vulnerability stems from the server's failure to check the revocation status of intermediate certificates in the peer's certificate chain. This issue affects MongoDB Server versions 5.0 (prior to 5.0.31), 6.0 (prior to 6.0.20), 7.0 (prior to 7.0.16), and 8.0 (prior to 8.0.4) (NVD, MongoDB Jira).

The vulnerability is classified with a CVSS v3.1 Base Score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. It is categorized under CWE-299: Improper Check for Certificate Revocation. The issue specifically occurs when the MongoDB server is running on Linux with TLS and Certificate Revocation List (CRL) checking enabled, where it fails to validate the revocation status of intermediate certificates in the authentication chain (Security Online, MongoDB Jira).

The vulnerability can lead to improper authentication, particularly in scenarios involving MONGODB-X509 (though not enabled by default) and potentially affecting intra-cluster authentication. This could allow attackers to establish unauthorized connections using revoked certificates, potentially compromising the security of the database system (Security Online).

MongoDB has released patches to address this vulnerability. Users are advised to upgrade to the following versions: MongoDB Server 5.0.31, 6.0.20, 7.0.16, or 8.0.4. The vulnerability only affects systems where both TLS and CRL revocation status checking are enabled on Linux operating systems (MongoDB Jira).