CVE-2024-3374 in Server
Summary
by MITRE • 05/14/2024
An unauthenticated user can trigger a fatal assertion in the server while generating ftdc diagnostic metrics due to attempting to build a BSON object that exceeds certain memory sizes. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.16 and MongoDB Server v6.0 versions prior to and including 6.0.5.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 09/29/2025
This vulnerability represents a critical memory management flaw in MongoDB server implementations that can lead to denial of service conditions. The issue manifests when the server attempts to generate ftdc diagnostic metrics without proper authentication, creating a scenario where BSON object construction exceeds predetermined memory thresholds. The fatal assertion occurs during the internal processing of diagnostic data, effectively crashing the server process and rendering the database unavailable to legitimate users. This vulnerability affects both mongodb 5.0 and 6.0 release lines, specifically targeting versions up to and including 5.0.16 and 6.0.5 respectively, indicating a widespread impact across multiple stable release branches.
The technical root cause stems from inadequate input validation and memory boundary checking within the BSON serialization process. When unauthenticated clients trigger diagnostic metric generation, the server's internal assertion mechanisms detect an attempt to construct a BSON object that surpasses acceptable memory limits. This condition violates fundamental memory safety principles and demonstrates a lack of proper resource management in the diagnostic subsystem. The vulnerability is classified under CWE-129 as an insufficient input validation issue, specifically manifesting as an improper handling of memory allocation during data serialization. The flaw exploits the server's assumption that diagnostic metrics generation will occur only in controlled, authenticated contexts, failing to account for malicious or accidental unauthenticated access patterns.
Operationally, this vulnerability presents a significant threat to MongoDB deployments as it allows any remote attacker to initiate a denial of service attack without requiring authentication credentials. The impact extends beyond simple service disruption, as the server crash can result in data loss, transaction rollbacks, and extended downtime for applications relying on the database. This vulnerability directly maps to attack techniques described in the attack pattern taxonomy under ATT&CK technique T1499.004 for network denial of service, where attackers exploit application-level flaws to cause system unavailability. The vulnerability's unauthenticated nature makes it particularly dangerous as it can be exploited by anyone with network access to the MongoDB instance, potentially affecting large-scale deployments with exposed database endpoints.
Mitigation strategies should focus on immediate version upgrades to patched releases, which address the memory boundary checking deficiencies in the BSON construction process. Organizations should implement network segmentation and access controls to limit exposure of MongoDB instances to untrusted networks, while also configuring proper authentication mechanisms to prevent unauthorized access. The recommended approach involves deploying the latest stable releases of mongodb 5.0.17 and 6.0.6, which include enhanced input validation and memory management controls. Additionally, administrators should monitor diagnostic metric generation activities and implement rate limiting to prevent abuse of the ftdc subsystem. System administrators should also consider disabling unnecessary diagnostic features in production environments where the risk of unauthenticated access cannot be fully mitigated through network controls.