Data Management and Analytics

In MongoDB Server versions prior to 5.0.31, 6.0.20, 7.0.16 and 8.0.4 a high severity vulnerability CVE-2025-3085 was detected. When running on Linux with TLS and CRL checks enabled, MongoDB may skip verifying intermediate certificate revocation, potentially allowing improper or unauthenticated access, especially with MONGODB-X509 or intra-cluster authentication. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3085.

In MongoDB Server versions prior to 5.0.31, 6.0.20, 7.0.14 and 7.3.4 a low severity vulnerability CVE-2025-3082 was detected. This vulnerability allows an authorized user to alter the intended collation of a view, potentially enabling access to unintended underlying data. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3082.

In MLflow versions 2.13.2 a medium severity vulnerability CVE-2024-6838 was detected. This vulnerability allows an attacker to create or rename an experiment with an excessively long numeric name, causing the MLflow UI to become unresponsive, potentially leading to a denial of service. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-6838.

In Metabase versions prior to 0.52.16.4, 1.52.16.4, 0.53.8 and v1.53.8 a low severity vulnerability CVE-2025-30371 was detected. This vulnerability allows circumvention of local link access protection in the GeoJson endpoint, potentially impacting self-hosted instances colocated with unsecured resources. To address this issue, users should upgrade Metabase to versions 0.52.16.4, 1.52.16.4, 0.53.8 or 1.53.8. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-30371.

In MongoDB C Driver library versions prior to 1.27.5 and MongoDB Server versions 8.0 prior to 8.0.1 and 7.0 prior to 7.0.16 a high severity vulnerability CVE-2025-0755 was detected. This vulnerability allows attackers to trigger a buffer overflow when handling BSON documents exceeding the maximum allowable size (INT32_MAX), potentially causing a segmentation fault and application crash. To address this issue, users should upgrade to libbson versions 1.27.5, MongoDB Server versions 8.0.1 or 7.0.16. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-0755.

In NocoDB versions 0.257.9 and prior a medium severity vulnerability CVE-2025-27506 was detected. This vulnerability allows attackers to exploit a reflected Cross-Site Scripting (XSS) flaw in the /api/v1/db/auth/password/reset/:tokenId API endpoint due to the use of the insecure function “<%-" in the client-side template engine ejs, which is rendered by the function renderPasswordReset. To address this issue, users should upgrade NocoDB to versions 0.258.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27506.

In Kibana versions 8.15.0 up to, but not including, 8.17.1 a critical severity vulnerability CVE-2025-25015 was detected. This vulnerability allows users with the Viewer role to achieve arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. To address this issue, users should upgrade Kibana to version 8.17.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-25015.

In Metabase Enterprise Edition versions 1.47.0 and prior to 1.50.36, 1.51.14, 1.52.11, and 1.53.2 a medium severity vulnerability CVE-2025-27141 was detected. This allows users with impersonation permissions to access cached query results, even if they lack permission to view the data. To address this issue, users should upgrade to versions 1.50.36, 1.51.14, 1.52.11 or 1.53.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27141.

In MySQL Server versions up to 9.1.0 a medium severity vulnerability CVE-2025-21567 was detected. This vulnerability allows a low-privileged attacker with network access via multiple protocols to compromise MySQL Server. To address this issue, users should upgrade to a version 9.2.0 or higher. For more details, visit https://avd.aquasec.com/nvd/2025/cve-2025-21567.