MongoDB ships with PCRE 8.30, which suffers from the following vulnerabilities:
When running with authentication, users need to be successfully authenticated into MongoDB to be able to exploit these vulnerabilities.
Remote attackers may cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats.
All MongoDB production releases prior to 2.6.9 and 3.0.1 are affected by this issue.
The fix is included in the 2.6.9 and 3.0.1 production releases.
Ship MongoDB with a patched 8.36+ version of PCRE that does not suffer from these vulnerabilities.
An external security researcher exploited the issue in PCRE to cause a crash in MongoDB. They were issued CVE-2015-2327 and CVE-2015-2328 for their findings. We rate these issues with a CVSS of 6.8