MongoDB Server (mongod) may crash in response to unexpected requests

Vulnerability

An authenticated user may cause an invariant assertion (CWE-617) to be raised during command dispatch on the $external database. The bug exists because input validation is incomplete for commands routed to that special database. This issue affects MongoDB Server version 5.0.0 through 5.0.6 (prior to 5.0.7) on all operating systems [1].

Exploitation

The attacker must be a valid authenticated user of the MongoDB server. No special privileges beyond regular user credentials are required. The attacker sends a crafted command targeting the $external database that triggers the invariant assertion. This can be done over the network using the MongoDB wire protocol [1].

Impact

A successful trigger causes the mongod process to crash or experience a denial of service due to the unhandled assertion. There is no impact on confidentiality or integrity; the effect is limited to availability (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, base score 6.5) [1].

Mitigation

MongoDB Server 5.0.7 and later contain the fix for this vulnerability. The patch is referenced in the Jira ticket SERVER-63968 [1]. Users running any 5.0.x version prior to 5.0.7 should upgrade to 5.0.7 or later. There is no known workaround for unpatched versions.