A critical use-after-free vulnerability in MongoDB Server allows authenticated users to potentially achieve information disclosure or denial of service.

This vulnerability resides in the server-side JavaScript engine when converting BSON documents to JavaScript arrays. An authenticated user with read privileges who is able to execute server-side JavaScript can trigger the use of already-freed memory.

With a CVSS score of 8.8, this flaw presents a substantial risk to database availability and data confidentiality. By triggering memory corruption, an attacker could force a server crash, leading to a denial of service, or potentially leak sensitive information from the server's memory space, impacting the overall security posture of the database environment.

Immediate Action: Apply the latest security patch provided by MongoDB to address the JavaScript engine memory handling flaw.

Proactive Monitoring: Review database audit logs for anomalous server-side JavaScript execution patterns or unexpected server crashes that may indicate exploitation attempts.

Compensating Controls: Restrict permissions to execute server-side JavaScript to only trusted administrative accounts to reduce the attack surface.

Public Exploit Available: true

The availability of a public exploit necessitates an immediate and prioritized response. Administrators must apply the latest security patches to all affected MongoDB instances to mitigate the risk of unauthorized data access or system instability.