Infinite loop in aggregation expression

Vulnerability

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries that loop indefinitely in mathematics processing while retaining locks. This issue affects MongoDB Server v4.0 versions prior to 4.0.5, v3.6 versions prior to 3.6.10, and v3.4 versions prior to 3.4.19 [1]. The flaw is classified as CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop').

Exploitation

An attacker needs network access and valid database credentials to issue a specially crafted aggregation query that exploits the infinite loop during mathematics processing. The query will cause the server to consume CPU resources indefinitely while holding locks, preventing other operations from proceeding. No user interaction beyond initiating the query is required [1].

Impact

Successful exploitation results in denial of service (availability impact) as the database server becomes unresponsive due to the infinite loop and retained locks. Confidentiality and integrity are not affected; the CVSS:3.1 score is 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) [1].

Mitigation

MongoDB released fixed versions: 4.0.5, 3.6.10, and 3.4.19. Users should upgrade to these versions or later to remediate the vulnerability. There is no known workaround for unpatched versions [1].