Primary

Context

MongoDB Server Denial-of-Service Vulnerability via Server-Side JavaScript Execution

Vulnerability

Patched

A denial-of-service vulnerability has been identified in MongoDB Server versions 7.0 prior to 7.0.34, 8.0 prior to 8.0.23, 8.2 prior to 8.2.9, and 8.3 prior to 8.3.2. The issue arises when an authenticated user invokes the $_internalJsEmit function, which is not meant to be directly accessed, or uses the map function of the mapreduce command in a specific manner. This can lead to a crash of the mongod process when the server-side JavaScript engine is used in certain ways, such as through $where, $function, or the mapreduce reduce stage, causing a post-authentication denial-of-service condition.

Impact

Exploitation of this vulnerability leads to a crash of the mongod process, causing a denial-of-service condition where the database server becomes unresponsive.

Remediation

Users can upgrade to MongoDB Server versions 8.2.8, 8.3.0-rc4, or 8.2.9 to address this vulnerability.

Added: May 13, 2026, 4:57 PM

Updated: May 13, 2026, 4:57 PM

Vulnerability Rating

Custom Algorithm

spread

6.8

impact

2.5

exploitability

4.9

remediation

7.7

relevance

8.2

threat

0.0

urgency

10.0

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.8

impact

2.5

exploitability

4.9

remediation

7.7

relevance

8.2

threat

0.0

urgency

10.0

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

MongoDB Server Denial-of-Service Vulnerability via Server-Side JavaScript Execution

Vulnerability

Impact

Remediation

Affected Products

MongoDB

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating