CVE-2026-25611: CVE-2026-25611: Pre-Authentication Denial of Service via Asymmetric Memory Exhaustion in MongoDB Server

#security #cve #cybersecurity

CVE-2026-25611: Pre-Authentication Denial of Service via Asymmetric Memory Exhaustion in MongoDB Server

Vulnerability ID: CVE-2026-25611
CVSS Score: 7.5
Published: 2026-02-10

MongoDB Server versions prior to 8.2.4, 8.0.18, and 7.0.29 are vulnerable to a pre-authentication Denial of Service (DoS) attack. By sending crafted OP_COMPRESSED wire protocol messages with disproportionately large uncompressed size declarations, an unauthenticated remote attacker can force the server to allocate excessive memory, leading to resource exhaustion and process termination.

TL;DR

Unauthenticated remote attackers can crash MongoDB servers by sending crafted OP_COMPRESSED messages that trigger excessive memory allocation, leading to OOM termination.

⚠️ Exploit Status: POC

Technical Details

CWE ID: CWE-405
Attack Vector: Network
CVSS v4.0: 8.7
CVSS v3.1: 7.5
Impact: Denial of Service (Availability)
Exploit Status: Proof of Concept (PoC)
Authentication Required: None

Affected Systems

MongoDB Server 8.2
MongoDB Server 8.0
MongoDB Server 7.0
MongoDB Server: < 8.2.4 (Fixed in: 8.2.4)
MongoDB Server: < 8.0.18 (Fixed in: 8.0.18)
MongoDB Server: < 7.0.29 (Fixed in: 7.0.29)

Mitigation Strategies

Upgrade to patched MongoDB Server versions
Implement strict network filtering and access controls on port 27017
Disable network compression if patching is not immediately feasible

Remediation Steps:

Identify all MongoDB instances running versions prior to 8.2.4, 8.0.18, or 7.0.29.
Apply network access controls to restrict port 27017 to trusted IP addresses or VPC segments.
Deploy official patches provided by MongoDB.
Monitor memory usage and kernel OOM killer logs for signs of attempted exploitation.

References

Read the full report for CVE-2026-25611 on our website for more details including interactive diagrams and full exploit analysis.

DEV Community