MongoDB Expression Context Use-After-Free Vulnerability in Sharded Clusters

A use-after-free vulnerability has been identified in MongoDB's aggregation pipeline processing, specifically within sharded clusters. This vulnerability can be exploited by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline. The root cause lies in the ExpressionContext management, where a raw pointer is stored instead of a smart pointer, leading to dangling references when the original context is freed. This issue arises during the cloning of pipelines for sharded dispatching, particularly with nested $unionWith operations that exacerbate the context reference problem.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, potentially allowing for memory corruption or other undefined behavior.

Reproduction

To reproduce this vulnerability, an authenticated user with the read role can issue a sharded aggregation pipeline that includes a doubly-nested $unionWith, ensuring that the inner $unionWith's clone creates a new ExpressionContext for the sub-pipeline while the $lookup or $graphLookup expressions still reference the outer, freed ExpressionContext.

Remediation

Users can upgrade to MongoDB versions 8.3, 8.0.20, 7.0.31, or 8.2.6, where this vulnerability has been addressed.