553/68 Monday, December 29, 2025
A serious security vulnerability has been identified in MongoDB, tracked as CVE-2025-14847, with a CVSS score of 8.7. The flaw could allow unauthenticated remote attackers to read uninitialized heap memory from a MongoDB server. The issue stems from inconsistent handling of the length parameter in MongoDB’s Zlib-based network compression protocol, which may cause the server to return uninitialized memory contents to unauthenticated clients. This could lead to the exposure of sensitive in-memory data such as internal state information, memory pointers, or other artifacts that could be leveraged in follow-on attacks.
The vulnerability affects multiple MongoDB versions, including MongoDB 8.2.0–8.2.3, 8.0.0–8.0.16, 7.0.0–7.0.26, 6.0.0–6.0.26, 5.0.0–5.0.31, and 4.4.0–4.4.29, as well as MongoDB Server versions 4.2, 4.0, and 3.6. MongoDB has released patches in versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30, and strongly advises users to upgrade to a fixed version as soon as possible.
For environments where immediate patching is not feasible, MongoDB recommends disabling Zlib compression on the server by configuring networkMessageCompressors or net.compression.compressors to exclude Zlib. MongoDB supports alternative compression options such as snappy and zstd, which can be used as temporary mitigations to reduce risk until a full update can be applied.
Source https://thehackernews.com/2025/12/new-mongodb-flaw-lets-unauthenticated.html
