Login Sign Up

CVE-2024-3372

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2024-3372 is an improper input validation vulnerability in MongoDB Server that allows pre-authentication attackers to send malformed metadata causing BSON serialization errors. This can lead to unexpected application behavior including unavailability of serverStatus responses. Affected users include anyone running vulnerable MongoDB Server versions 5.0, 6.0, or 7.0 without the latest patches.

💻 Affected Systems

Products:
  • MongoDB Server
Versions: v7.0 prior to 7.0.6, v6.0 prior to 6.0.14, v5.0 prior to 5.0.25
Operating Systems: All platforms running MongoDB
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments with affected versions are vulnerable regardless of configuration.

📦 What is this software?

Mongodb by Mongodb

View all CVEs affecting Mongodb →

Mongodb by Mongodb

View all CVEs affecting Mongodb →

Mongodb by Mongodb

View all CVEs affecting Mongodb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service where MongoDB becomes unresponsive to legitimate requests, potentially affecting all database operations.

🟠

Likely Case

Partial service degradation where serverStatus endpoints become unavailable, impacting monitoring and management functions.

🟢

If Mitigated

Minimal impact with proper network segmentation and access controls limiting exposure to untrusted networks.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Pre-authentication exploitation makes this particularly dangerous as attackers don't need credentials.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v7.0.6, v6.0.14, v5.0.25

Vendor Advisory: https://jira.mongodb.org/browse/SERVER-85263

Restart Required: Yes

Instructions:

1. Download appropriate patched version from MongoDB website. 2. Stop MongoDB service. 3. Install updated version. 4. Restart MongoDB service. 5. Verify version with db.version().

🔧 Temporary Workarounds

Network Access Restriction

linux

Limit MongoDB port access to trusted IP addresses only

iptables -A INPUT -p tcp --dport 27017 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 27017 -j DROP

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate MongoDB from untrusted networks
  • Deploy Web Application Firewall (WAF) or network filtering to block malformed BSON requests

🔍 How to Verify

Check if Vulnerable:

Connect to MongoDB and run db.version() to check if version is in affected range

Check Version:

db.version()

Verify Fix Applied:

After patching, confirm version is 7.0.6, 6.0.14, or 5.0.25 or higher using db.version()

📡 Detection & Monitoring

Log Indicators:

  • BSON serialization errors
  • serverStatus endpoint failures
  • unexpected connection terminations

Network Indicators:

  • Unusual traffic patterns to MongoDB port 27017
  • Malformed BSON requests from untrusted sources

SIEM Query:

source="mongodb.log" AND ("BSON" OR "serialization" OR "serverStatus") AND ("error" OR "failed")

📊 Metadata

CVE ID: CVE-2024-3372
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-20
Published: May 14, 2024
Last Updated: September 22, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-3372, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)