8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-11695

GHSA ID

GHSA-3p6w-gv5g-xjw9

EPSS Score

CWE

CWE-295

Published

10/13/2025

Updated

10/13/2025

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-11695

CVE-2025-11695: MongoDB Rust Driver has certificate validation disabled when `tlsInsecure=False` appears in connection string

When tlsInsecure=False appears in a connection string, certificate validation is disabled.

This vulnerability affects MongoDB Rust Driver versions prior to v3.2.5.

(GitHub Advisory)

8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-11695

GHSA ID

GHSA-3p6w-gv5g-xjw9

EPSS Score

CWE

CWE-295

Published

10/13/2025

Updated

10/13/2025

KEV Status

Technology

Rust

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
mongodb	rust	< 3.2.5	3.2.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in the MongoDB Rust driver's connection string parsing logic. Specifically, the code that handles the tlsInsecure option contained a logical flaw. When a user specified tlsInsecure=false in the connection URI, the driver would incorrectly interpret this as a request to disable TLS certificate validation. This is because the boolean value of the parameter was inverted before being applied to the allow_invalid_certificates setting.

The root cause is in the ConnectionString::parse method (and its internal helper parse_option_pair in older versions), located in src/client/options.rs. The patch corrects this by directly using the boolean value of tlsInsecure to configure allow_invalid_certificates and allow_invalid_hostnames, ensuring that tlsInsecure=false correctly enables certificate validation as intended.

The function ClientOptions::parse is the public-facing API that developers would use, which in turn calls the vulnerable parsing logic, making it a key indicator in a runtime profile during the establishment of a database connection.

Vulnerable functions

mongodb::client::options::ConnectionString::parse

src/client/options.rs

This function is responsible for parsing the MongoDB connection string. The vulnerability lies in how it processed the `tlsInsecure` option. When a user set `tlsInsecure=false` in the connection string, intending to enforce security, the code would invert this value and set `allow_invalid_certificates` to `true`, thereby disabling certificate validation and exposing the connection to potential man-in-the-middle attacks.

mongodb::client::options::ClientOptions::parse

src/client/options.rs

This is the primary function that developers use to create a `ClientOptions` object from a connection string. It directly calls the vulnerable `ConnectionString::parse` function. As the entry point for the vulnerable logic, any application using this function to parse a connection string with `tlsInsecure=false` would have been vulnerable.

WAF Protection Rules

WAF Rule

W**n tlsIns**ur*=**ls* *pp**rs in * *onn**tion strin*, **rti*i**t* v*li**tion is *is**l**. T*is vuln*r**ility *****ts Mon*o** Rust *riv*r v*rsions prior to v*.*.*.

Reasoning

T** vuln*r**ility *xists in t** Mon*o** Rust *riv*r's *onn**tion strin* p*rsin* lo*i*. Sp**i*i**lly, t** *o** t**t **n*l*s t** `tlsIns**ur*` option *ont*in** * lo*i**l *l*w. W**n * us*r sp**i*i** `tlsIns**ur*=**ls*` in t** *onn**tion URI, t** *riv*r

8

Basic Information

Concerned about an active attack path?

CVE-2025-11695: MongoDB Rust Driver has certificate validation disabled when `tlsInsecure=False` appears in connection string

8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI