CVE-2024-3372 Overview
CVE-2024-3372 is an improper input validation vulnerability affecting MongoDB Server that allows attackers to cause incorrect BSON (Binary JSON) serialization through specially crafted metadata input. This vulnerability can be exploited without authentication, potentially leading to denial of service conditions and unexpected application behavior, including the unavailability of serverStatus responses.
Critical Impact
Pre-authentication denial of service attack that can disrupt MongoDB server availability and monitoring capabilities without requiring any credentials.
Affected Products
- MongoDB Server v7.0 versions prior to 7.0.6
- MongoDB Server v6.0 versions prior to 6.0.14
- MongoDB Server v5.0 versions prior to 5.0.25
Discovery Timeline
- 2024-05-14 - CVE-2024-3372 published to NVD
- 2025-09-22 - Last updated in NVD database
Technical Details for CVE-2024-3372
Vulnerability Analysis
This vulnerability stems from improper validation of metadata input within MongoDB Server's BSON serialization process. BSON is MongoDB's binary-encoded serialization format used to store documents and make remote procedure calls. When the server processes certain malformed metadata, it fails to correctly serialize the BSON data, leading to unexpected behavior.
The vulnerability is classified under CWE-20 (Improper Input Validation), indicating that the MongoDB server does not adequately validate certain input before processing. The pre-authentication nature of this vulnerability makes it particularly concerning, as attackers do not need valid credentials to trigger the flaw.
The attack can be performed remotely over the network without any user interaction required. When exploited, the vulnerability primarily impacts availability by causing the server to produce incorrect responses or become unresponsive to serverStatus queries, which are critical for monitoring and operational visibility.
Root Cause
The root cause is improper input validation (CWE-20) in the MongoDB server's metadata processing routines. The server fails to properly sanitize and validate certain metadata input parameters before attempting to serialize them into BSON format. This lack of validation allows malformed or specially crafted input to disrupt the serialization process.
Attack Vector
The attack is network-based and can be executed pre-authentication, meaning an attacker only needs network access to a vulnerable MongoDB instance to exploit this vulnerability. The attacker sends specially crafted metadata to the MongoDB server that triggers the improper BSON serialization behavior. This can result in denial of service conditions where the server fails to respond correctly to serverStatus requests or exhibits other unexpected behavior.
The vulnerability affects the server's ability to properly handle and serialize metadata, which is fundamental to MongoDB's internal operations. For technical details on the specific metadata handling issue, refer to the MongoDB Jira Issue SERVER-85263.
Detection Methods for CVE-2024-3372
Indicators of Compromise
- Unexpected failures or timeouts when querying serverStatus from MongoDB instances
- Abnormal BSON serialization errors in MongoDB server logs
- Unusual network traffic patterns targeting MongoDB ports (default 27017) from unknown sources
- Server log entries indicating metadata validation failures or serialization exceptions
Detection Strategies
- Monitor MongoDB server logs for BSON serialization errors and metadata processing exceptions
- Implement network intrusion detection rules to identify suspicious traffic patterns targeting MongoDB services
- Configure alerting for serverStatus query failures or unexpected response patterns
- Deploy application performance monitoring to detect abnormal MongoDB response times or availability issues
Monitoring Recommendations
- Enable comprehensive MongoDB server logging and centralize logs for analysis
- Set up automated alerts for availability issues with MongoDB serverStatus endpoints
- Monitor network connections to MongoDB instances for unauthorized access attempts
- Regularly audit MongoDB access logs for pre-authentication activity from suspicious sources
How to Mitigate CVE-2024-3372
Immediate Actions Required
- Upgrade MongoDB Server v7.0.x to version 7.0.6 or later
- Upgrade MongoDB Server v6.0.x to version 6.0.14 or later
- Upgrade MongoDB Server v5.0.x to version 5.0.25 or later
- Restrict network access to MongoDB instances using firewalls and access control lists
Patch Information
MongoDB has released patches addressing this vulnerability in the following versions:
- MongoDB Server 7.0.6 (for 7.0.x branch)
- MongoDB Server 6.0.14 (for 6.0.x branch)
- MongoDB Server 5.0.25 (for 5.0.x branch)
Organizations should prioritize upgrading to these patched versions. Detailed information about the fix is available in the MongoDB Jira Issue SERVER-85263.
Workarounds
- Implement network segmentation to limit exposure of MongoDB instances to trusted networks only
- Deploy a web application firewall or network firewall to filter malicious traffic before it reaches MongoDB
- Enable MongoDB authentication and authorization to add additional layers of protection
- Consider using MongoDB's built-in IP binding configuration to restrict which network interfaces accept connections
# Network restriction configuration example
# In mongod.conf, restrict binding to trusted interfaces only
net:
bindIp: 127.0.0.1,192.168.1.100
port: 27017
# Enable authentication
security:
authorization: enabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
