CVE-2021-32040
MEDIUMMongoDB 4.2.0-4.2.15 - Denial of Service via Aggregation Pipeline Stack Overflow
Title source: llmDescription
It may be possible to have an extremely long aggregation pipeline in conjunction with a specific stage/operator and cause a stack overflow due to the size of the stack frames used by that stage. If an attacker could cause such an aggregation to occur, they could maliciously crash MongoDB in a DoS attack. This vulnerability affects MongoDB Server v4.4 versions prior to and including 4.4.28, MongoDB Server v5.0 versions prior to 5.0.4 and MongoDB Server v4.2 versions prior to 4.2.16. Workaround: >= v4.2.16 users and all v4.4 users can add the --setParameter internalPipelineLengthLimit=50 instead of the default 1000 to mongod at startup to prevent a crash.
References (4)
Core 4
Core References
Issue Tracking, Patch, Vendor Advisory x_refsource_misc
https://jira.mongodb.org/browse/SERVER-58203
Issue Tracking, Patch, Vendor Advisory x_refsource_misc
https://jira.mongodb.org/browse/SERVER-59299
Issue Tracking, Patch, Vendor Advisory x_refsource_misc
https://jira.mongodb.org/browse/SERVER-60218
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20220609-0005/
Scores
CVSS v3
6.5
EPSS
0.0186
EPSS Percentile
76.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-121
CWE-787
Status
published
Products (1)
mongodb/mongodb
4.2.0 - 4.2.16
Published
Apr 12, 2022
Tracked Since
Feb 18, 2026