CVE-2026-25611

Name of the Vulnerable Software and Affected Versions MongoDB versions 3.4 and later

Description A flaw in MongoDB’s OP COMPRESSED handling allows unauthenticated attackers to crash servers with minimal traffic. The issue arises because MongoDB allocates approximately 48MB of memory per connection before validating decompression parameters. Attackers can send crafted packets, around 47KB in size, with manipulated uncompressedSize values, triggering rapid memory exhaustion. Concurrent connections can lead to out-of-memory kills and service disruption. This vulnerability affects deployments with compression enabled, which is the default setting since version 3.6, including MongoDB Atlas. Approximately 207,000 instances are potentially exposed. The attack involves sending a zlib-compressed packet claiming a larger uncompressed size to cause excessive memory allocation.

Recommendations MongoDB versions 3.4 and later should be patched to address this vulnerability. Limit exposure of MongoDB instances to the internet.