CVE-2025-14911
Integer Overflow in GridFS chunkSize Leading to Heap Allocation Failure
In short
MongoDB GridFS allows attackers to send specially crafted file metadata with an invalid chunkSize value that causes an integer overflow, leading to memory allocation failures and potential denial of service.
Technical detail
An integer overflow vulnerability exists in MongoDB GridFS where user-controlled chunkSize metadata lacks validation, allowing an attacker to craft malformed GridFS metadata that overflows integer boundaries, causing heap allocation failures and application crashes. The vulnerability requires direct access to craft GridFS objects with manipulated metadata.
Summary generated and translated by AI from the official description.
User-controlled chunkSize metadata from MongoDB lacks appropriate validation allowing malformed GridFS metadata to overflow the bounding container.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Affected products
MongoDB · Mongo-c-driverWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →