MongoDB Server Denial-of-Service Vulnerability via $group Query Accumulator Mismanagement

A denial-of-service vulnerability has been identified in MongoDB Server versions 6.0 prior to 6.0.25, 7.0 prior to 7.0.22, 8.0 prior to 8.0.12, and 8.1 prior to 8.1.2. This issue allows an authorized user to crash the server by sending a specially crafted $group query. The vulnerability arises from improper handling of certain accumulator functions when additional parameters are included in the $group operation, potentially leading to a server crash if the malicious query is executed repeatedly.

Impact

Exploitation of this vulnerability causes the MongoDB server to crash, leading to a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending a $group query that includes specific accumulator functions and additional parameters. This query should be crafted to exploit the improper handling of the accumulator functions during the merging process, causing the server to crash. This issue can be observed in the MongoDB Jira under SERVER-99616.

Remediation

Users can upgrade to MongoDB Server versions 6.0.25, 7.0.22, 8.0.12, or 8.2.0-rc0 to address this vulnerability.