Cato CTRL’s senior safety researcher, Vitaly Simonovich, has uncovered a high-severity dos vulnerability in MongoDB, tracked as CVE-2026-25611, that lets unauthenticated attackers crash any uncovered MongoDB server.
CVE-2026-25611 is rooted in MongoDB’s OP_COMPRESSED wire protocol, a compression characteristic launched in model 3.4 and enabled by default since model 3.6.
The flaw is classed beneath CWE-405 (Uneven Useful resource Consumption), carrying a CVSS 4.0 rating of 8.7 and a CVSS 3.1 rating of 7.5 (Excessive).
It impacts all MongoDB deployments with compression enabled, together with MongoDB Atlas, throughout variations 7.0, 8.0, and eight.2 previous to their respective patches.
How the Assault Works
When MongoDB receives a compressed message, it reads the uncompressedSize area from the packet header and instantly allocates a reminiscence buffer of that dimension, earlier than verifying whether or not the precise compressed knowledge matches the claimed dimension.
An attacker exploits this by sending a crafted ~47KB packet whereas falsely declaring an uncompressedSize of 48MB, tricking the server into reserving a large reminiscence block with virtually no actual knowledge.
This creates a staggering 1,027:1 amplification ratio, consider sending the equal of a brief e mail, however forcing the server to order reminiscence the scale of an audio podcast episode.
The weak perform SharedBuffer::allocate(uncompressedSize) in message_compressor_manager.cpp allocates reminiscence at line 158, whereas validation solely occurs at line 175, properly after the injury is completed.
No credentials are required. The exploit targets MongoDB’s wire protocol parsing earlier than any authentication verify, making each internet-facing MongoDB occasion a possible sufferer.
The assault scales with the goal’s RAM and requires solely concurrent TCP connections to port 27017.
A 512MB MongoDB occasion crashes with simply 10 connections sending roughly 457KB of site visitors, whereas a 64GB enterprise server falls with round 1,363 connections and solely 64MB of knowledge, properly inside the functionality of a single house web connection.
In line with Catonetworks, greater than 207,000 MongoDB situations are presently uncovered to the web.
Indicators of Compromise
Safety groups ought to look ahead to the next warning indicators:
- Excessive quantity of TCP connections to port 27017 from a single supply IP
- OP_COMPRESSED packets (opCode 2012) with
uncompressedSizeexceeding 10MB however whole packet dimension beneath 100KB - Speedy reminiscence spike within the
mongodcourse of - OOM (out-of-memory) killer occasions in system logs focusing on MongoDB
- MongoDB course of exiting with code 137 (kernel SIGKILL as a consequence of OOM)
Patch and Mitigation
MongoDB has launched fixes in variations 7.0.29, 8.0.18, and eight.2.4, which validate the uncompressedSize area earlier than any reminiscence allocation.
Organizations ought to improve instantly and keep away from exposing port 27017 to 0.0.0.0/0. MongoDB Atlas customers ought to prohibit entry by way of IP entry lists and use non-public connectivity as an alternative of permitting open entry.
Configuring OS-level reminiscence limits utilizing cgroups on Linux also can cut back blast radius till patching is full.
This vulnerability was responsibly disclosed to MongoDB by its bug bounty program and patched in collaboration with MongoDB’s safety group.
Observe us on Google Information, LinkedIn, and X to Get On the spot Updates and Set GBH as a Most popular Supply in Google.
