Post-authentication use-after-free in server-side JavaScript BSON-to-array conversion

A use-after-free vulnerability exists in MongoDB Server's server-side JavaScript engine when converting BSON documents to JavaScript arrays. An authenticated user with read privileges who is able to run server-side JavaScript for example, via $where or $function can cause the server to access...

Unbounded recursion in BSONColumn interleaved-reference causes pre-auth stack overflow

A vulnerability in MongoDB Server's BSON validation logic allows an unauthenticated user to crash the mongod process by sending a specially crafted message. The BSON validator's handling of certain nested binary data structures permits uncontrolled mutual recursion between validation functions,...

Keyfile contents are in MongoDB Server logs

MongoDB server may log authentication parameters, including credentials, to the server log during SASL authentication. When connection health metric logging is enabled, the full authentication parameters are written to the log without redaction...

Stack memory disclosure in filemd5 command

An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command...

Server crash via malformed binary diff passed to $_internalApplyOplogUpdate.

The $internalApplyOplogUpdate aggregation pipeline stage can be used to execute a document diff containing a malformed binary diff to return memory out-of-bounds or crash the server. $internalApplyOplogUpdate can be executed by any authenticated user with access to the aggregate command...

GeometryCollection with strict-winding polygon causes server crash during 2dsphere index key generation

An authorized user could trigger a server crash by running a query with a 2dsphere index on a field that stores a GeoJSON GeometryCollection containing a Polygon with a strict-winding CRS. Strict-winding polygons are intentionally unsupported for indexing, but the guard that rejects them does not...

Sensitive data could be written to mongod.log

The ldapQueryPassword parameter, when set through the runtime setParameter command, will log the new password to the mongod.log file in plain text...

Metadata name collision on $-prefixed fields causes post-auth server crash

An authenticated user can cause a MongoDB server to crash or return incorrect results by creating documents that interfere with internal metadata processing during query execution. This stems from insufficient separation between user-controlled document fields and internal metadata in certain...

Using MaxKey() may crash the server

This issue can occur when running an aggregation pipeline that uses the internal $exchange stage configured with key-range partitioning and order-preserving delivery. If a single key range produces enough documents to fill its exchange buffer that is, many results are routed to the same consumer,...

$_internalConvertBucketIndexStats may crash the mongod server when working on no timeseries input

The $internalConvertBucketIndexStats stage used PauseExecution as a way to signal "skip this document" when an index stats conversion failed. But PauseExecution is not a general purpose skip mechanism, but rather a TeeBuffer-internal signal used solely by $facet to coordinate its sub-pipelines...

Crafted cross-shard merge aggregation crashes MongoDB Server

Adding fromRouter:true and runtimeConstants.userRoles could cause aggregations to crash mongodb server...

Server crashes in case of the use of exchange

When using $changestreams and $requestReshardingResumeToken with the exchange option the server hits an invariant which causes the server to crash. There are no special privileges needed. The user must be logged in to issue the statement...

Aggregation sub-pipeline null dereference may allow DoS via crafted getMore

In MongoDB Server 8.0, an aggregation stage can leave its subPipeline field null during processing of certain pipelines. If a getMore is subsequently issued on the same cursor, the server may dereference this null sub-pipeline when reattaching to the operation context, accessing an invalid addres...

Authenticate command with specific mechanism parameter can trigger server crash

When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to server crash. The authenticate command is accessible to unauthenticated clients, leading to pre-auth denial-of-service in affected product...

Client side encryption fails to encrypt values in a $vectorSearch

A bug in query analysis processing of the $vectorSearch aggregation stage for Queryable Encryption QE or Client-Side Field Level Encryption CSFLE results in literal values for encrypted fields within the $vectorSearch stage filter expressions to be sent to the server as plaintext instead of...

Prototype pollution in csv parsing

Prototype pollution in csv parsing logic during import can lead to untrusted file paths but not arguments entering shell.openExternal after specific user behavior leading to "1-click" command execution...

Heap memory out of bounds read and crash in C Driver legacy GridFS file reader

The MongoDB C Driver's legacy GridFS API accepts malformed file metadata from the database without adequate validation. Crafted documents in a GridFS collection may cause any application that reads those files via the legacy API to either crash via a division-by-zero or silently leak process memo...

Calling createIndex with certain index types can crash mongod

Creating a "2dspherebucket" index on a non-timeseries bucket collection will succeed, but any subsequent attempt to insert a document which triggers updating that index will crash the server. A similar issue occurs when creating "queryableencryptedrange" indices. This issue affects MongoDB Server...

PHP Stack Exhaustion

Stack exhaustion vulnerability in the MongoDB PHP driver can cause application crashes when processing deeply nested BSON documents in unusual circumstances when the source of these BSON documents is not MongoDB Server...

Post-authentication use-after-free error in $_internalJsEmit and mapreduce commands

After invoking $internalJsEmit, which is not intended to be directly accessible, or mapreduce command’s map function in a certain way, an authenticated user can subsequently crash mongod when the server-side JavaScript engine through $where, $function, mapreduce reduce stage, etc. is used also in...

Use-After-Free in MongoDB FLE Query Analysis When Processing Positional Projections on Encrypted Fields

A use-after-free vulnerability exists in MongoDB's Field-Level Encryption FLE query analysis component, affecting client-side uses of mongocryptd and cryptshared. Triggering this vulnerability requires control over the structure of a client's FLE-related query. This issue impacts MongoDB Server’s...

Schema validation log messages may not redact user data

When schema validation is enabled on a collection and an update or insert would violate the collection's schema, the local server log message generated may not have all user data redacted. This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 version...

Post-auth memory exhaustion via bitwise match expressions

An authenticated user can cause excess memory usage via bitwise match expression AST processing of $bitsAllSet, $bitsAnySet, $bitsAllClear, and $bitsAnyClear. This contributes to memory pressure and may lead to availability loss by OOM. This issue impacts MongoDB Server v7.0 versions prior to...

FlatBSON Duplicate Field Index Drift

An issue in MongoDB Server's time-series collection implementation allows an authenticated user with database write privileges to trigger an out-of-bounds memory write in the mongod process. The issue results from an inconsistency in the internal field-name-to-index mapping within the time-series...

Ops Manager RCE via webhook body

An administrative user with access to configure webhooks can execute arbitrary commands by configuring and then triggering webhooks containing specific FreeMarker template syntax. This issue affects all MongoDB Ops Manager 7.0 versions and MongoDB Ops Manager versions 8.0.22 and prior...

Post-auth null pointer dereference when aggregating against a view with empty search pipeline

An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view. When resolving a view, the server inspects the aggregation pipeline to determine whether it begins with an Atlas Search stage. For $rankFusion and $scoreFusion, this inspection reads...

MongoDB C Driver Cyrus SASL Canonicalization Buffer Overflow

The MongoDB C Driver's Cyrus SASL integration performs unsafe string copying during username canonicalization, enabling a heap buffer overflow before any authentication or network traffic. This may be triggered by passing untrusted input in the username of a MongoDB URI with authMechanism=GSSAPI...

Flaw in the updateUser Command May Allow Unauthorized Configuration Change

An authorization flaw in the user management command could allow an authenticated user to make limited changes to authentication-related data associated with another user account. This could affect how authentication is performed for the impacted account...

MD5 checksum creation may cause availability loss

Computing the MD5 checksum of a malformed BSON object under specific conditions may cause loss of availability in MongoDB server. This issue affects all MongoDB Server v8.2 versions, all MongoDB Server v8.1 versions, MongoDB Server v8.0 versions prior to 8.0.21, MongoDB Server v7.0 versions prior...

bson_validate may skip validation when processing certain inputs

The bsonvalidate function may return early on specific inputs and incorrectly report success. This behavior could result in skipping validation for BSON data, allowing malformed or invalid UTF-8 sequences to bypass validation and be processed incorrectly. The issue may affect applications that re...

Users could trigger a crash of mongod primaries during promotion to sharded

A user with access to the cluster with a limited set of privilege actions can trigger a crash of a mongod process during the limited and unpredictable window when the cluster is being promoted from a replica set to a sharded cluster. This may cause a denial of service by taking down the primary o...

Heap-buffer-over-read in _mongoc_http_send via strstr on non-null-terminated buffer

A compromised third party cloud server or man-in-the-middle attacker could send a malformed HTTP response and cause a crash in applications using the MongoDB C driver...

Memory safety issues in slot-based execution hash table spill

A specially crafted aggregation query with $lookup by an authenticated user with write privileges can cause a double-free or use-after-free memory issue in the slot-based execution SBE engine when an in-memory hash table is spilled to disk...

ExpressionContext use-after-free in classic engine $lookup and $graphLookup aggregation operators

A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline...

Stack memory disclosure in filemd5 command

An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command...

Heap Out-of-Bounds Read in Go Driver GSSAPI C Wrappers enables application crash or information leak

The mongo-go-driver repository contains CGo bindings for GSSAPI Kerberos authentication on Linux and macOS. The C wrapper implementation contains a heap out-of-bounds read vulnerability due to incorrect assumptions about string termination in the GSSAPI standard. Since GSSAPI buffers are not...

Unsafe Reflection in Mongoid::Criteria.from_hash

Under specific conditions when processing a maliciously crafted value of type Hash r, Mongoid::Criteria.fromhash may allow for executing arbitrary Ruby code...

An unsafe cast in the MongoDB query planner can result in a segmentation fault.

An authorized user may disable the MongoDB server by issuing a query against a collection that contains an invalid compound wildcard index...

Mongod can run out of stack memory when expressions create deeply nested documents

MongoDB Server may experience an out-of-memory failure while evaluating expressions that produce deeply nested documents. The issue arises in recursive functions because the server does not periodically check the depth of the expression...

An authorized user may disable the MongoDB server by issuing a certain type of complex query due to boolean expression simplification

Complex queries can cause excessive memory usage in MongoDB Query Planner resulting in an Out-Of-Memory Crash...

profile command may permit unauthorized configuration

Incorrect validation of the profile command may result in the determination that a request altering the 'filter' is read-only...

Invalid $geoNear index hint may cause server crash

An authorized user may trigger a server crash by running a $geoNear pipeline with certain invalid index hints...

Connections received from the proxy port may not count towards total accepted connections

Connections received from the proxy port may not count towards total accepted connections, resulting in server crashes if the total number of connections exceeds available resources. This only applies to connections accepted from the proxy port, pending the proxy protocol header...

MongoDB Server may crash when inserting large documents

Inserting certain large documents into a replica set could lead to replica set secondaries not being able to fetch the oplog from the primary. This could stall replication inside the replica set leading to server crash...

Internal ResourceId collision may affect unrelated collections

The internal locking mechanism of the MongoDB server uses an internal encoding of the resources in order to choose what lock to take. Collections may inadvertently collide with one another in this representation causing unavailability between them due to conflicting locks...

Pre-Authentication Memory Exhaustion Denial of Service in MongoDB Server

A series of specifically crafted, unauthenticated messages can exhaust available memory and crash a MongoDB server...

Integer Overflow in GridFS chunkSize Leading to Heap Allocation Failure

User-controlled chunkSize metadata from MongoDB lacks appropriate validation allowing malformed GridFS metadata to overflow the bounding container...

Zlib compressed protocol header length confusion may allow memory read

Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3,...

Cross-Shard Failovers May Lead to Partial Transaction Commit in MongoDB Server

A post-authentication flaw in the network two-phase commit protocol used for cross-shard transactions in MongoDB Server may lead to logical data inconsistencies under specific conditions which are not predictable and exist for a very short period of time. This error can cause the transaction...

MongoDB may be susceptible to Invariant Failure due to batched delete

MongoDB Server may experience an invariant failure during batched delete operations when handling documents. The issue arises when the server mistakenly assumes the presence of multiple documents in a batch based solely on document size exceeding BSONObjMaxSize. This issue affects MongoDB Server...