The MongoDB C Driver’s legacy GridFS API mishandles malformed file metadata, allowing crafted documents in a GridFS collection to trigger a division‑by‑zero exception that crashes any application using the legacy API, or to perform an out‑of‑bounds read that leaks process memory. The flaw is identified as CWE‑1285, highlighting an out‑of‑bounds read that can be abused to disclose sensitive information or destabilize the application. The primary impact is a potential denial of service through crashes and a confidentiality breach via leakage of memory contents.

Affected systems are the MongoDB, Inc. C Driver, particularly the legacy GridFS file reader component. No version range is specified in the advisory, so all releases that include the legacy API could be vulnerable. Applications that use the legacy GridFS API to read files from a MongoDB instance are the target.

The CVSS score of 6.0 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no documented exploitation yet. The likely attack vector requires the ability to place malicious documents in a GridFS collection or tamper with existing ones, implying that an attacker with write access to the database or the ability to influence client applications could exploit the issue. Because the flaw is a memory safety bug that can lead to crashes or data leakage, it is exploitable when the legacy API processes controlled metadata. Exploitation conditions do not require privileged system access; local or remote attackers who can affect the database contents are sufficient.