Loading...
Loading...
There is a vulnerability that exists in MongoDB's zlib compression handling in src/mongo/transport/message_compressor_zlib.cpp. This bug is causing MongoDB to return uninitialized heap memory to unauthenticated clients due to a length mismatch in the decompression logic. Additional details: The original code in the decompress() function returned output.length() which represents the allocated buffer size, not the actual decompressed data length. This mismatch allowed attackers to read beyond the intended payload into uninitialized heap memory. Proposed Fix // File: src/mongo/transport/message_compressor_zlib.cpp // Function: decompress() // BEFORE <= This is a vulnerable code return {output.length()}; // AFTER <= This is my proposed fix that fixes the root cause return length;
JIRAUSER1289444 commented on Mon, 5 Jan 2026 00:57:45 +0000: It appears this has been fixed in the latest version. I see that the counterHitDecompress() still uses output.length() (buffer size) instead of length (actual decompressed size). This is a metrics bug - not a security issue, but still incorrect. JIRAUSER1289444 commented on Mon, 5 Jan 2026 00:50:12 +0000: I will implement the proposed fix shortly and open a PR for review. This resolves a MongoDB server security issue that may leak memory containing private cryptographic keys and other sensitive data.
1. Use docker to reproduce locally by running docker run -d --name mongo-vulnerable -p 27017:27017 mongo:7.0.26 2. Send malformed zlib-compressed packet echo -n "2a0000000100000000000000dc070000dd0700003200000002789c636080028144064620050002ca0073" | xxd -r -p | nc localhost 27017 | xxd 3. Observe uninitialized heap memory in response Response contains BSON signatures (e.g., 0x00 padding, string markers) Memory beyond intended payload is leaked Alternatively, Run MongoDB Server version Send malformed zlib packet: 2a0000000100000000000000dc070000dd0700003200000002789c636080028144064620050002ca0073 Observe uninitialized heap memory in server response
Click on a version to see all relevant bugs
MongoDB Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.