Critical MongoDB Vulnerability Exposes Sensitive Data to Unauthenticated Attackers
A significant security vulnerability has been identified in MongoDB, potentially allowing unauthenticated attackers to access uninitialized heap memory. This flaw, designated as CVE-2025-14847 with a CVSS score of 8.7, arises from improper handling of length parameter inconsistencies. Specifically, mismatched length fields in zlib compressed protocol headers can enable unauthorized clients to read uninitialized memory.
Affected Versions:
– MongoDB 8.2.0 through 8.2.3
– MongoDB 8.0.0 through 8.0.16
– MongoDB 7.0.0 through 7.0.26
– MongoDB 6.0.0 through 6.0.26
– MongoDB 5.0.0 through 5.0.31
– MongoDB 4.4.0 through 4.4.29
– All versions of MongoDB Server v4.2, v4.0, and v3.6
Resolution:
The vulnerability has been addressed in the following MongoDB versions:
– 8.2.3
– 8.0.17
– 7.0.28
– 6.0.27
– 5.0.32
– 4.4.30
MongoDB advises users to upgrade to these fixed versions promptly. If immediate updating isn’t feasible, it’s recommended to disable zlib compression by starting `mongod` or `mongos` with the `networkMessageCompressors` or `net.compression.compressors` option, explicitly omitting zlib. Alternative supported compressors include snappy and zstd.
Potential Impact:
Exploitation of CVE-2025-14847 could allow remote, unauthenticated attackers to access uninitialized heap memory, potentially leading to the disclosure of sensitive in-memory data. This data may include internal state information, pointers, or other elements that could assist in further exploitation.
