Snappier transitive dependency vulnerable to CVE-2026-44302 (High – Infinite Loop DoS)

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Duplicate
    • Priority: Critical - P2
    • None
    • Affects Version/s: None
    • Component/s: None
    • None
    • None
    • Dotnet Drivers
    • Hide

      1. What would you like to communicate to the user about this feature?
      2. Would you like the user to see examples of the syntax and/or executable code and its output?
      3. Which versions of the driver/connector does this apply to?

      Show
      1. What would you like to communicate to the user about this feature? 2. Would you like the user to see examples of the syntax and/or executable code and its output? 3. Which versions of the driver/connector does this apply to?
    • None
    • None
    • None
    • None
    • None
    • None

        ## Vulnerability

        Snappier NuGet package versions <= 1.3.0 contain a high severity vulnerability
        (CVE-2026-44302, CVSS 7.5).

        The SnappyStream decompressor enters an infinite loop when processing malformed
        framed-format Snappy data, allowing an attacker to spin a thread indefinitely
        until the process is killed (CWE-835).

        Reference: https://github.com/advisories/GHSA-pggp-6c3x-2xmx

        ## Affected Packages

        MongoDB.Driver and MongoDB.EntityFrameworkCore pull in Snappier 1.0.0 as a
        transitive dependency, exposing applications that use these packages to this
        vulnerability.

        ## Expected Fix

        Upgrade the Snappier transitive dependency to >= 1.3.1 in MongoDB.Driver and
        MongoDB.EntityFrameworkCore.

            Assignee:
            Adelin Mbida Owona
            Reporter:
            ismail kundakcı
            None
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: