Denial of Service and Data Integrity vulnerability in features command

Vulnerability

An authenticated user without any specific authorizations may repeatedly invoke the features command on MongoDB Server. This flaw affects versions v5.0.0 through v5.0.3, v4.4.0 through v4.4.9, v4.2.0 through v4.2.16, and v4.0.0 through v4.0.28 [1]. The issue is a CWE-770: Allocation of Resources Without Limits or Throttling [1].

Exploitation

An attacker with network access and low-privilege authentication can continuously send features command requests. No special permissions or user interaction is required beyond having valid credentials [1]. The attack requires no race window or write access; simply issuing a high volume of requests over the network is sufficient.

Impact

At high invocation volume, the server may experience resource depletion and high lock contention, resulting in a denial of service condition. In rare cases, the contention can overflow or corrupt internal ID fields, leading to data integrity violations [1]. The CVSS score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L) reflects the limited impact on integrity and availability, with no confidentiality compromise [1].

Mitigation

MongoDB Server v5.0.4, v4.4.10, v4.2.17, and v4.0.29 contain fixes for this issue [1]. Users should upgrade to these versions or later. No workaround is documented in the available references. If an immediate upgrade is not possible, restricting the features command via role-based access control may reduce exposure, but this is not a complete mitigation.