vulnerability

MongoDB: Reachable Assertion (CVE-2021-32037)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:N/AC:L/Au:S/C:N/I:N/A:P)	Nov 24, 2021	Dec 1, 2021	Apr 7, 2026

Severity

CVSS

(AV:N/AC:L/Au:S/C:N/I:N/A:P)

Published

Nov 24, 2021

Added

Dec 1, 2021

Modified

Apr 7, 2026

Description

An authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent to a shard. Usually, the requests are sent via mongos and special privileges are required in order to know the address of the shards and to log in to the shards of an auth enabled environment. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.2.

Solution

mongodb-upgrade-latest

References

CVE-2021-32037
https://attackerkb.com/topics/CVE-2021-32037
CWE-617
EUVD-EUVD-2021-18903
https://euvd.enisa.europa.eu/vulnerability/EUVD-2021-18903
https://jira.mongodb.org/browse/SERVER-59071

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report