MongoDB Server Excess Memory Usage Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in MongoDB Server versions 7.0 prior to 7.0.34, 8.0 prior to 8.0.23, 8.2 prior to 8.2.9, and 8.3 prior to 8.3.2. This vulnerability allows an authenticated user to cause excessive memory consumption by exploiting bitwise match expression AST processing of $bitsAllSet, $bitsAnySet, $bitsAllClear, and $bitsAnyClear. The increased memory usage creates memory pressure that may result in availability loss due to out-of-memory conditions.

Impact

Exploitation of this vulnerability can lead to excessive memory consumption, causing out-of-memory conditions that disrupt service availability.

Remediation

Users can upgrade to MongoDB Server versions 8.2.8, 8.0.22, 7.0.33, 8.3.0-rc4, 8.2.9, 8.0.23, 8.2.10, or 8.0.24 to address this vulnerability.