CVE-2021-32040

Name of the Vulnerable Software and Affected Versions MongoDB Server versions prior to 4.2.16 MongoDB Server versions 4.4 prior to and including 4.4.28 MongoDB Server versions 5.0 prior to 5.0.4

Description It may be possible to have an extremely long aggregation pipeline in conjunction with a specific stage/operator and cause a stack overflow due to the size of the stack frames used by that stage. If an attacker could cause such an aggregation to occur, they could maliciously crash MongoDB in a DoS attack.

Recommendations For MongoDB Server versions prior to 4.2.16, update to version 4.2.16 or later. For MongoDB Server versions 4.4 prior to and including 4.4.28, update to a version later than 4.4.28. For MongoDB Server versions 5.0 prior to 5.0.4, update to version 5.0.4 or later. As a temporary workaround, >= v4.2.16 users and all v4.4 users can add the --setParameter internalPipelineLengthLimit=50 instead of the default 1000 to mongod at startup to prevent a crash.