{"id":"CVE-2024-3372","details":"Improper validation of certain metadata input may result in the server not correctly serialising BSON. This can be performed pre-authentication and may cause unexpected application behavior including unavailability of serverStatus responses. This issue affects MongoDB Server v7.0 versions prior to 7.0.6, MongoDB Server v6.0 versions prior to 6.0.14 and MongoDB Server v.5.0 versions prior to 5.0.25.\n","aliases":["BIT-mongodb-2024-3372"],"modified":"2026-04-12T07:01:49.337954Z","published":"2024-05-14T16:17:31.343Z","references":[{"type":"REPORT","url":"https://jira.mongodb.org/browse/SERVER-85263"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mongodb/mongo","events":[{"introduced":"1184f004a99660de6f5e745573419bda8a28c0e9"},{"fixed":"17c0d8bbee46f15f1574079e266a9997cebe6d0e"},{"introduced":"e61bf27c2f6a83fed36e5a13c008a32d563babe2"},{"fixed":"bda19256b0e3fa7f6d3d769329ba373a72e9aeb1"},{"introduced":"37d84072b5c5b9fd723db5fa133fb202ad2317f1"},{"fixed":"0eb07427dc794bff511ecbd071687aee6c351cf8"}],"database_specific":{"versions":[{"introduced":"5.0.0"},{"fixed":"5.0.25"},{"introduced":"6.0.0"},{"fixed":"6.0.14"},{"introduced":"7.0.0"},{"fixed":"7.0.6"}]}}],"versions":["r5.0.0","r5.0.1","r5.0.1-rc0","r5.0.10","r5.0.10-rc0","r5.0.11","r5.0.11-rc0","r5.0.11-rc1","r5.0.12","r5.0.12-rc0","r5.0.13","r5.0.13-rc0","r5.0.14","r5.0.14-rc0","r5.0.15","r5.0.15-rc0","r5.0.15-rc1","r5.0.15-rc2","r5.0.16","r5.0.16-rc0","r5.0.17","r5.0.17-rc0","r5.0.18","r5.0.18-rc0","r5.0.18-rc1","r5.0.18-rc2","r5.0.19","r5.0.19-rc0","r5.0.2","r5.0.2-rc0","r5.0.20","r5.0.20-rc0","r5.0.20-rc1","r5.0.21","r5.0.21-rc0","r5.0.22","r5.0.22-rc0","r5.0.22-rc1","r5.0.23","r5.0.23-rc0","r5.0.24","r5.0.24-rc0","r5.0.3","r5.0.3-rc0","r5.0.3-rc1","r5.0.3-rc2","r5.0.4","r5.0.4-rc0","r5.0.5","r5.0.5-rc0","r5.0.6","r5.0.6-rc0","r5.0.6-rc1","r5.0.6-rc2","r5.0.7","r5.0.7-rc0","r5.0.7-rc1","r5.0.8","r5.0.8-rc0","r5.0.9","r5.0.9-rc0","r5.0.9-rc1","r6.0.0","r6.0.1","r6.0.1-rc0","r6.0.10","r6.0.10-rc0","r6.0.11","r6.0.11-rc0","r6.0.12","r6.0.12-rc0","r6.0.12-rc1","r6.0.13","r6.0.13-rc0","r6.0.14-rc0","r6.0.2","r6.0.2-rc0","r6.0.2-rc1","r6.0.3","r6.0.3-rc0","r6.0.3-rc1","r6.0.3-rc2","r6.0.4","r6.0.4-rc0","r6.0.4-rc1","r6.0.5","r6.0.5-rc0","r6.0.5-rc1","r6.0.6","r6.0.6-rc0","r6.0.6-rc1","r6.0.7","r6.0.7-rc0","r6.0.8","r6.0.8-rc0","r6.0.9","r6.0.9-rc0","r6.0.9-rc1","r7.0.0","r7.0.1","r7.0.1-rc0","r7.0.2","r7.0.2-rc0","r7.0.2-rc1","r7.0.2-rc2","r7.0.3","r7.0.3-rc0","r7.0.3-rc1","r7.0.4","r7.0.4-rc0","r7.0.5","r7.0.5-rc0"],"database_specific":{"vanir_signatures":[{"id":"CVE-2024-3372-09bc5cf1","signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["334660737196684850722664536996643457946","327939151132501271412548243499103721443","11381017535182826178853558167778058346","213814770147066090227553785989065756330","196780867547189859590281459774911213327","125943850035741450541195492604385805527","217317312544345665709492833750546224556","305303411531048506060062824462097062490","284747837897875280152053279718908925216","328623613056724057159257026131314938565","265444948854827299905736565002572342754","251260535726361490888570192450961057747","155383785480391756437487382774816827232","174013355192363307081523149643961411025","99442954032108321157374426467179070243","83870892542530576207675915224295341659","322154761345666299341756594399310827855","43431729074497789219775175651359394146","255201184690936909443409851409656356254","2510868651900740927701410196012747739","44010508272711182221726503346227496700","125008119081435533482232314231684874075","113161986951339734295935487890313095198","18422388940995107044848192537028186688","255029257159406557377168267652055787601","44010508272711182221726503346227496700","273343002948521916491700092437180331597","285892018315033997642663819284224858257","137175722041438436637770758526654365860","328381951967932019379602219368323861143","106169436440387844013713913287421995417","7532299892693696021004871311007195182","116970381517417152918859680737212124192","117132859885639804751107123205975558820","253680158893955527555588855884236462007","31865407357096567699177254519558272677","339892111717626869008296898012958336599","283775594231203181540974113344567225144","263984450781944345667545638972785107033","128259899352254909945378414083753563238","158302831930630962480486176087757796575","300366929294648864136043619813090977443","96586414899962371892018574227979220166","331272680517708080139262672816660442621","261701113028166259299387572558903873799","51240807056846672687736712948589407741","261867511370138231258092377795676011992","291515506078429642871341420950758417192","6450420423680971381150276175237969071","46021742025537851324445377393537720730","58959339010469934943498796732037652805","203372241186538660500953468703624100479","220838986718538204720832317838319826940","280029305925661420510980948828281349079","124457456362943743611943545285902088148","110504659277878491578492687143456674561","65771451601050466415904446534558983156","51121625526529548657412925840342857243","259583156162185954906928996983286967378","96325719789891479481561785333619706347","888291269009851597066459530664767928","115159863817392033409983421266882833893","214447623189143524806658552851699890422","222082711425429855915620392263919488740","1645453570858632259199827475326879924","25558939891494044258027575971420865350","180609025202945700170748805764160104868","44953723872945955787086950050218597410","182725994440360592884264688469456539751","165678414385017350997437442225804352124","176044958857386126535146517960053522345","297503601667280524429323566395040960477","295368644412979672086460471643029499581","87390901434857824207928977390750683622","8726941277490441442011190390244378437","287549953734312420165149084221995890212","263871614230667148832757238444717913967","175657891224964872056063875245213335786","127977388243056318277633377714641726114","88278056272020735868650531202706979992","335071027322015887468894872036705919469","297241172455456714816360093735952491986","286493553677242278001782839432870475793","95739504631004744330793353417733797629","15543517488977972365135734578285711023","296428450163062194421577553306187673350","141828024222576888978685385685356123718","121659731140770669684743407562714523118","89860471627573268543579676951703033945","184532649863945890014665653494408419797"]},"source":"https://github.com/mongodb/mongo/commit/17c0d8bbee46f15f1574079e266a9997cebe6d0e","target":{"file":"src/mongo/util/future_impl.h"},"signature_version":"v1"},{"id":"CVE-2024-3372-1be11cac","signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["180442162751007471442297319117564763449","102238743312965007741081543736884928516","298578879355359540061776656391088228587","97270528596229229361832339153532952680","143098524512882774809711807943354704391","900379494683746829341402929363351045","328989223422759779767447404903927879607","57543607242651378687118308492419269956","114823669593406561828524317248882728007","77332344238737607542166871798705027002","77755056766013022305574021847409788746","64321901876826279669428212233784660478","292385314333009646772829699546458432104","307262009650961184229991076441100288207"]},"source":"https://github.com/mongodb/mongo/commit/bda19256b0e3fa7f6d3d769329ba373a72e9aeb1","target":{"file":"src/mongo/db/pipeline/pipeline_test.cpp"},"signature_version":"v1"},{"id":"CVE-2024-3372-2067516d","signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["21982759608103748920370383784675933138","16394862291572110220681934639662159236","164893593551830188786993875510590895507","140871654552613057216153275585856484380"]},"source":"https://github.com/mongodb/mongo/commit/bda19256b0e3fa7f6d3d769329ba373a72e9aeb1","target":{"file":"src/mongo/db/pipeline/document_source_change_stream_ensure_resume_token_present.cpp"},"signature_version":"v1"},{"id":"CVE-2024-3372-355ea47e","signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["21982759608103748920370383784675933138","16394862291572110220681934639662159236","164893593551830188786993875510590895507","140871654552613057216153275585856484380"]},"source":"https://github.com/mongodb/mongo/commit/0eb07427dc794bff511ecbd071687aee6c351cf8","target":{"file":"src/mongo/db/pipeline/document_source_change_stream_ensure_resume_token_present.cpp"},"signature_version":"v1"},{"id":"CVE-2024-3372-437ee5e3","signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["77315099632387602654522629252481956611","181925333261410147692271424606007841609","136826746068500416004679873683822100973","93308908110241014894679961714869152060","157421111845622954622802059743254748543","328581612210813313439116065835008034117","168371887770576990270765983737681849732","173482595559127633205407860342468393871","275862015207767002462367680002019310705","333621420998714293724847980440416022975","72624881170113220118098710310705743791","329904459523065518874000714977512676638","145909640849663123701180481172977470226","81207617425845142558976152577647852686","1889317581502594464400317795736202484","45502331117283867773475753897470095179","190087398995385990231701937470969367702","71240918476668993742802804165703000975","200151288689833156603191400563595535536","16965630188629110734455761182150938691","325496488412780261844017888855201650302","31939750697818536482290490682729608440","156484680650030098724948840581637766493","198105222683690511048471991561566453153","305679178017168922405881056534100604387","246456917054007665615415103269071151310","317783454676172057292129481339301693434","139943188877774433155835398794554149452","80238858040923327730379115439285689728","103177936202978409679652754841420944708","10528460450294873748895283157766795777","135130542914313427773798384645830314334","305767154710441216895763490474752817858","329151554993677275680775596734642549619","204063908033668573404039190566755031661","248698800961160833741328804064201113661","111174644275296153964761276671922591921","4295950955342566419855047098464018257","12650532222877998358815255155721161683","322735308521187249819502904609226317377","299848086016585050041065761728452454133","125054418572640556144620639535282852459","191002297930510351697623934546028107004","31651658653056124267491266229392872054","326146206760087046741478386791604187271","250066177525863917871557491918333960108","184272309564045024928549955607834522943","102012316663850581456994516455624892189","305927259355110934421327315515395092134","265894984481201876030972248854954690119","224806619339238651740028549207087216150","127759585041802040353174427141247736493","101839492065963413481092450273915511035","195948715777652388794023293045321115176","230967095852377148550249788225480388846","23664923404674098336628509212749318535","329699611287062825912458753714281433370","23192227107677940349151520856021957353","120192342875494445677608616009228130619","100342006657537529584814911649452451838","125475294899982165503271986554539756247","10243413336944921618415149446600995738","195948715777652388794023293045321115176","219754744637063584612333559673580410806","17258585459909298616705029472687327319","129622731918365979145186844340741183749","100876846281668350149140513632556231349","50985919586427199707019442848601421962","4224406075854583120268853332774732532","246147189109683068395107382262055970824","28336552063744818457606671652651584807","312623080228289278984267875601713603173","146329907699615861646534659032559590534","31991903128709698128247293641716788171","225379767101079273071308984426110109883","126452531551414331584900071377718875699","92262820185025183733194802134216983435","203110430174437278292322508415986433571","125921627517116329663134108710040652861"]},"source":"https://github.com/mongodb/mongo/commit/17c0d8bbee46f15f1574079e266a9997cebe6d0e","target":{"file":"src/mongo/util/future_test_valid.cpp"},"signature_version":"v1"},{"id":"CVE-2024-3372-588ab4ee","signature_type":"Function","deprecated":false,"digest":{"length":547,"function_hash":"326923300168984241216284390816434364060"},"source":"https://github.com/mongodb/mongo/commit/0eb07427dc794bff511ecbd071687aee6c351cf8","target":{"file":"src/mongo/db/pipeline/document_source_change_stream_ensure_resume_token_present.cpp","function":"DocumentSourceChangeStreamEnsureResumeTokenPresent::constraints"},"signature_version":"v1"},{"id":"CVE-2024-3372-62610737","signature_type":"Function","deprecated":false,"digest":{"length":744,"function_hash":"336198138838905411274318893336233537513"},"source":"https://github.com/mongodb/mongo/commit/17c0d8bbee46f15f1574079e266a9997cebe6d0e","target":{"file":"src/mongo/util/future_impl.h","function":"makeContinuation"},"signature_version":"v1"},{"id":"CVE-2024-3372-6b989b0a","signature_type":"Function","deprecated":false,"digest":{"length":540,"function_hash":"284761211023783516887083638770517484224"},"source":"https://github.com/mongodb/mongo/commit/0eb07427dc794bff511ecbd071687aee6c351cf8","target":{"file":"src/mongo/db/pipeline/document_source_change_stream_handle_topology_change.cpp","function":"DocumentSourceChangeStreamHandleTopologyChange::constraints"},"signature_version":"v1"},{"id":"CVE-2024-3372-6c792f0e","signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["180442162751007471442297319117564763449","102238743312965007741081543736884928516","298578879355359540061776656391088228587","97270528596229229361832339153532952680","143098524512882774809711807943354704391","900379494683746829341402929363351045","328989223422759779767447404903927879607","57543607242651378687118308492419269956","114823669593406561828524317248882728007","77332344238737607542166871798705027002","77755056766013022305574021847409788746","154951594832706039891825793009415528968","292385314333009646772829699546458432104","307262009650961184229991076441100288207"]},"source":"https://github.com/mongodb/mongo/commit/0eb07427dc794bff511ecbd071687aee6c351cf8","target":{"file":"src/mongo/db/pipeline/pipeline_test.cpp"},"signature_version":"v1"},{"id":"CVE-2024-3372-6da45637","signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["21982759608103748920370383784675933138","16394862291572110220681934639662159236","164893593551830188786993875510590895507","140871654552613057216153275585856484380"]},"source":"https://github.com/mongodb/mongo/commit/0eb07427dc794bff511ecbd071687aee6c351cf8","target":{"file":"src/mongo/db/pipeline/document_source_change_stream_handle_topology_change.cpp"},"signature_version":"v1"},{"id":"CVE-2024-3372-754a747e","signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["278525065516258922964402083339856728627","4003535192820107879190993869484052590","166972566813860137792889449782083928441","17224610290445006659707219867748783108","301655652311981135410188868456014259005","213729509760799447676508199082806231878","220507236687728753331906749891699218865"]},"source":"https://github.com/mongodb/mongo/commit/0eb07427dc794bff511ecbd071687aee6c351cf8","target":{"file":"src/mongo/db/pipeline/document_source.cpp"},"signature_version":"v1"},{"id":"CVE-2024-3372-8098ca2a","signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["63603265984400190032048702366629966414","1905112851259271926051253451099438101","77697333467249933171531919000503601726","235156842325575126669973096890912689436","214520087187874442676849766254341618103","278035744906252999716649797931634202360","325466641644745534994937899508737765223","325156217498792449409285006803808271942","245501768480209939720105036940345791281","280332599154437206370181279253850105189","282038904451015678617977304261988645995","56136715739904043586674527636774937449","330310301743052705379014078994006364340","231817402484381207862930973662359878905","26356339869538064291442674194406329523","247651385909972629929391184022136627809","115335376117130195784269147004802034567","9266540033210547471160024286509949600","187097948376592342663386045459415357899"]},"source":"https://github.com/mongodb/mongo/commit/17c0d8bbee46f15f1574079e266a9997cebe6d0e","target":{"file":"src/mongo/util/future.h"},"signature_version":"v1"},{"id":"CVE-2024-3372-81a4a2aa","signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["163073384085621481204075085609846098032","319588303336677007036794342713519400176","215124579891677844221708045993526737772","170820589548548432582914279757292212984","203989070311130485962715392104763046081","231594189704648413873030566012091780818","46941132131009810144209975388764775469","41326692233864293406992591141963272758"]},"source":"https://github.com/mongodb/mongo/commit/bda19256b0e3fa7f6d3d769329ba373a72e9aeb1","target":{"file":"src/mongo/db/pipeline/document_source.h"},"signature_version":"v1"},{"id":"CVE-2024-3372-8b4aba21","signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["278525065516258922964402083339856728627","4003535192820107879190993869484052590","166972566813860137792889449782083928441","17224610290445006659707219867748783108","301655652311981135410188868456014259005","213729509760799447676508199082806231878","220507236687728753331906749891699218865"]},"source":"https://github.com/mongodb/mongo/commit/bda19256b0e3fa7f6d3d769329ba373a72e9aeb1","target":{"file":"src/mongo/db/pipeline/document_source.cpp"},"signature_version":"v1"},{"id":"CVE-2024-3372-8ee3c783","signature_type":"Function","deprecated":false,"digest":{"length":320,"function_hash":"313193972827117295850716685049433808777"},"source":"https://github.com/mongodb/mongo/commit/17c0d8bbee46f15f1574079e266a9997cebe6d0e","target":{"file":"src/mongo/util/future_test_valid.cpp","function":"assertSharedSemiFutureTransfersValid"},"signature_version":"v1"},{"id":"CVE-2024-3372-993ec28f","signature_type":"Function","deprecated":false,"digest":{"length":540,"function_hash":"284761211023783516887083638770517484224"},"source":"https://github.com/mongodb/mongo/commit/bda19256b0e3fa7f6d3d769329ba373a72e9aeb1","target":{"file":"src/mongo/db/pipeline/document_source_change_stream_handle_topology_change.cpp","function":"DocumentSourceChangeStreamHandleTopologyChange::constraints"},"signature_version":"v1"},{"id":"CVE-2024-3372-b754d549","signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["163073384085621481204075085609846098032","319588303336677007036794342713519400176","215124579891677844221708045993526737772","170820589548548432582914279757292212984","203989070311130485962715392104763046081","231594189704648413873030566012091780818","46941132131009810144209975388764775469","41326692233864293406992591141963272758"]},"source":"https://github.com/mongodb/mongo/commit/0eb07427dc794bff511ecbd071687aee6c351cf8","target":{"file":"src/mongo/db/pipeline/document_source.h"},"signature_version":"v1"},{"id":"CVE-2024-3372-bf47615c","signature_type":"Function","deprecated":false,"digest":{"length":243,"function_hash":"239748482481581205779062583936731957462"},"source":"https://github.com/mongodb/mongo/commit/17c0d8bbee46f15f1574079e266a9997cebe6d0e","target":{"file":"src/mongo/util/future_test_valid.cpp","function":"assertFutureTransfersValid"},"signature_version":"v1"},{"id":"CVE-2024-3372-d4588e64","signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["335687411179595313448301497578426882516","57146107484757292372360960885593846319","190647971059543305097973246194615593291","31949760860682575926675482949036423647","87104150788582254008548321696248551842","195364895674534348698458082884231151642","180342911479740146907903133444096868357"]},"source":"https://github.com/mongodb/mongo/commit/bda19256b0e3fa7f6d3d769329ba373a72e9aeb1","target":{"file":"src/mongo/db/pipeline/stage_constraints.h"},"signature_version":"v1"},{"id":"CVE-2024-3372-d5cf1633","signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["335687411179595313448301497578426882516","57146107484757292372360960885593846319","190647971059543305097973246194615593291","31949760860682575926675482949036423647","87104150788582254008548321696248551842","195364895674534348698458082884231151642","180342911479740146907903133444096868357"]},"source":"https://github.com/mongodb/mongo/commit/0eb07427dc794bff511ecbd071687aee6c351cf8","target":{"file":"src/mongo/db/pipeline/stage_constraints.h"},"signature_version":"v1"},{"id":"CVE-2024-3372-de5c8ce7","signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["21982759608103748920370383784675933138","16394862291572110220681934639662159236","164893593551830188786993875510590895507","140871654552613057216153275585856484380"]},"source":"https://github.com/mongodb/mongo/commit/bda19256b0e3fa7f6d3d769329ba373a72e9aeb1","target":{"file":"src/mongo/db/pipeline/document_source_change_stream_handle_topology_change.cpp"},"signature_version":"v1"},{"id":"CVE-2024-3372-e3bed6ad","signature_type":"Function","deprecated":false,"digest":{"length":319,"function_hash":"65355681539251009508300892205441276452"},"source":"https://github.com/mongodb/mongo/commit/17c0d8bbee46f15f1574079e266a9997cebe6d0e","target":{"file":"src/mongo/util/future_test_valid.cpp","function":"assertSemiFutureTransfersValid"},"signature_version":"v1"},{"id":"CVE-2024-3372-ee0dfa6e","signature_type":"Function","deprecated":false,"digest":{"length":547,"function_hash":"326923300168984241216284390816434364060"},"source":"https://github.com/mongodb/mongo/commit/bda19256b0e3fa7f6d3d769329ba373a72e9aeb1","target":{"file":"src/mongo/db/pipeline/document_source_change_stream_ensure_resume_token_present.cpp","function":"DocumentSourceChangeStreamEnsureResumeTokenPresent::constraints"},"signature_version":"v1"},{"id":"CVE-2024-3372-f4df3a03","signature_type":"Function","deprecated":false,"digest":{"length":320,"function_hash":"313193972827117295850716685049433808777"},"source":"https://github.com/mongodb/mongo/commit/17c0d8bbee46f15f1574079e266a9997cebe6d0e","target":{"file":"src/mongo/util/future_test_valid.cpp","function":"assertSharedSemiFutureSplits"},"signature_version":"v1"}],"vanir_signatures_modified":"2026-04-12T07:01:49Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-3372.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}