After parsing each document in this DocSequence loop, the code validates `msg.body` (the Kind 0 body section) instead of the just-parsed `obj` (the DocSequence document):

while (!seqBuf.atEof()) {
    auto obj = seqBuf.read<Validated<BSONObj>>();
    // Should validate obj, not msg.body:
    uassertStatusOK(msg.body.validateBSONObjSize().addContext(
        "Parsing opMsg DocSequence failed"));
    msg.sequences.back().objs.push_back(obj);
}

This means the body is re-validated on every iteration, but the actual DocSequence documents are never size-checked at parse time.

I don't think this issue has any serious security implications, especially after the introduction of preAuthMaximumMessageSizeBytes, but it does allow for sending a larger than expected document sequence that exceeds the normal 16mb limit.

This bug was reported by Xint Code, an AI security analysis platform that Product Security is piloting.