Cato CTRL’s senior safety researcher, Vitaly Simonovich, has uncovered a high-severity dos vulnerability in MongoDB, tracked as CVE-2026-25611, that lets unauthenticated attackers crash any uncovered MongoDB server.
CVE-2026-25611 is rooted in MongoDB’s OP_COMPRESSED wire protocol, a compression function launched in model 3.4 and enabled by default since model 3.6.
The flaw is classed underneath CWE-405 (Uneven Useful resource Consumption), carrying a CVSS 4.0 rating of 8.7 and a CVSS 3.1 rating of 7.5 (Excessive).
It impacts all MongoDB deployments with compression enabled, together with MongoDB Atlas, throughout variations 7.0, 8.0, and eight.2 previous to their respective patches.
How the Assault Works
When MongoDB receives a compressed message, it reads the uncompressedSize area from the packet header and instantly allocates a reminiscence buffer of that measurement, earlier than verifying whether or not the precise compressed knowledge matches the claimed measurement.
An attacker exploits this by sending a crafted ~47KB packet whereas falsely declaring an uncompressedSize of 48MB, tricking the server into reserving a large reminiscence block with nearly no actual knowledge.
This creates a staggering 1,027:1 amplification ratio, consider sending the equal of a brief electronic mail, however forcing the server to order reminiscence the dimensions of an audio podcast episode.
The susceptible operate SharedBuffer::allocate(uncompressedSize) in message_compressor_manager.cpp allocates reminiscence at line 158, whereas validation solely occurs at line 175, nicely after the harm is completed.
No credentials are required. The exploit targets MongoDB’s wire protocol parsing earlier than any authentication test, making each internet-facing MongoDB occasion a possible sufferer.
The assault scales with the goal’s RAM and requires solely concurrent TCP connections to port 27017.
A 512MB MongoDB occasion crashes with simply 10 connections sending roughly 457KB of visitors, whereas a 64GB enterprise server falls with round 1,363 connections and solely 64MB of knowledge, nicely throughout the functionality of a single residence web connection.
In response to Catonetworks, greater than 207,000 MongoDB cases are presently uncovered to the web.
Indicators of Compromise
Safety groups ought to look ahead to the next warning indicators:
- Excessive quantity of TCP connections to port 27017 from a single supply IP
- OP_COMPRESSED packets (opCode 2012) with
uncompressedSizeexceeding 10MB however whole packet measurement underneath 100KB - Speedy reminiscence spike within the
mongodcourse of - OOM (out-of-memory) killer occasions in system logs focusing on MongoDB
- MongoDB course of exiting with code 137 (kernel SIGKILL as a result of OOM)
Patch and Mitigation
MongoDB has launched fixes in variations 7.0.29, 8.0.18, and eight.2.4, which validate the uncompressedSize area earlier than any reminiscence allocation.
Organizations ought to improve instantly and keep away from exposing port 27017 to 0.0.0.0/0. MongoDB Atlas customers ought to prohibit entry through IP entry lists and use non-public connectivity as a substitute of permitting open entry.
Configuring OS-level reminiscence limits utilizing cgroups on Linux may scale back blast radius till patching is full.
This vulnerability was responsibly disclosed to MongoDB by its bug bounty program and patched in collaboration with MongoDB’s safety workforce.
Comply with us on Google Information, LinkedIn, and X to Get Immediate Updates and Set GBH as a Most well-liked Supply in Google.
