CVE-2025-10060 — MongoDB may be susceptible to Invariant Failure in Transactions due Upsert Opera

Description

MongoDB Server may allow upsert operations retried within a transaction to violate unique index constraints, potentially causing an invariant failure and server crash during commit. This issue may be triggered by improper WriteUnitOfWork state management. This issue affects MongoDB Server v6.0 versions prior to 6.0.25, MongoDB Server v7.0 versions prior to 7.0.22 and MongoDB Server v8.0 versions prior to 8.0.12

How to fix CVE-2025-10060

To remediate CVE-2025-10060, upgrade the affected package to a fixed version below.

—upgrade to 6.0.25 or later

Is CVE-2025-10060 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 6.0.0, < 6.0.25, >= 7.0.0, < 7.0.22, >= 8.0.0, < 8.0.12

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (2)

WEBjira.mongodb.org/browse/SERVER-95524
WEBnvd.nist.gov/vuln/detail/CVE-2025-10060