A critical pre-authentication vulnerability (CVE-2025-6709) in MongoDB Server enables unauthenticated attackers to trigger denial-of-service (DoS) conditions by exploiting improper input validation in OIDC authentication.

The flaw allows malicious actors to crash database servers by sending specially crafted JSON payloads containing specific date values, causing invariant failures and server crashes.

This vulnerability affects MongoDB Server versions before 7.0.17, 8.0.5, and 6.0.21 (with authentication required for 6.x exploitation).

Vulnerability Analysis
Attackers can reproduce the exploit using MongoDB’s mongo shell to send malicious JSON payloads targeting the OIDC authentication mechanism.

The server fails to properly validate date values in JSON input, leading to:

Complete server crashes without authentication in v7.0 and v8.0 deployments
Post-authentication DoS in v6.0 environments
Critical disruption of database operations through invariant failures
The vulnerability carries a CVSS score of 7.5 (High) due to its network-based attack vector, low attack complexity, and high availability impact.

MongoDB has classified this as CWE-20 (Improper Input Validation).
Mitigation and Updates

Administrators should immediately upgrade to patched versions:

MongoDB v6.0 → 6.0.21 or later
MongoDB v7.0 → 7.0.17 or later
MongoDB v8.0 → 8.0.5 or later
For environments where immediate patching isn’t feasible, consider disabling OIDC authentication until updates are applied.