A use‑after‑free flaw exists in the classic engine of MongoDB Server that can be exploited when an authenticated user possessing a read role issues a specially crafted $lookup or $graphLookup aggregation pipeline. The vulnerability can subvert normal memory handling, potentially leading to arbitrary code execution or service disruption for the affected cluster. The flaw originates from improper deallocation of ExpressionContext objects, a classic memory safety weakness.

MongoDB Server deployments, specifically versions 8.3.0 alpha 0‑3 and release candidate 1 are known to be impacted; other unpatched releases may also be vulnerable. The flaw is present in sharded clusters where the aggregation framework processes $lookup or $graphLookup stages.

The CVSS score of 8.7 classifies the vulnerability as high severity, while the EPSS score of less than 1% indicates a relatively low probability of exploitation in the wild. The flaw is not listed in CISA’s KEV catalog, so no widespread, publicly known exploitation has been reported. Attackers must be authenticated with at least read permission, meaning the threat surface is limited to users with legitimate cluster access or compromised credentials. If exploited, the attacker could gain control over the server or cause a denial of service.