EUVD-2026-36373
GHSA-x5xf-rwjm-436w
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable mongod, low-complexity query, authenticated read role required (PR:L); high confidentiality from memory disclosure and high availability from crash, but no integrity impact described.
Primary rating from Vendor (mongodb).
CVSS VectorVendor: mongodb
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A use-after-free vulnerability exists in MongoDB Server's server-side JavaScript engine when converting BSON documents to JavaScript arrays. An authenticated user with read privileges who is able to run server-side JavaScript (for example, via $where or $function) can cause the server to access memory that has already been freed. This may result in disclosure of information from the mongod process memory or a denial of service through a server crash.
AnalysisAI
Memory disclosure and denial of service in MongoDB Server's server-side JavaScript engine allow an authenticated user with read privileges and JavaScript execution rights to read freed heap memory or crash the mongod process. The flaw is triggered during BSON-to-JavaScript array conversion when operators such as $where or $function are evaluated. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) valid authenticated credentials with at least read privileges on a target collection, (2) the server-side JavaScript engine enabled - i.e. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The published CVSS 4.0 score of 8.7 (AV:N/AC:L/PR:L/UI:N/VC:H/VI:H/VA:H) treats this as a near-RCE class issue, but the description scopes impact to information disclosure and crash - not code execution or data tampering - so the VI:H rating appears overstated and should be treated cautiously. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with credentials for a low-privileged read-only application account connects to mongod and issues a find() with a crafted $where JavaScript predicate (or an aggregation stage using $function) against a collection containing specifically shaped BSON arrays. The BSON-to-JS conversion frees an internal object and then re-reads it, returning freed heap contents to the query result or crashing the server; repeated queries either exfiltrate fragments of process memory (potentially including other users' query data or auth material) or take the database offline. |
| Remediation | No vendor-released patch identified at time of analysis in the provided data - track https://jira.mongodb.org/browse/SERVER-128125 for the fixed build numbers across the 6.0, 7.0, and 8.x release lines and upgrade as soon as MongoDB publishes them. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit MongoDB user accounts and document which users have JavaScript execution privileges ($where and $function operators). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Vendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today