A high-severity safety flaw has been disclosed in MongoDB that might enable unauthenticated customers to learn uninitialized heap reminiscence.
The vulnerability, tracked as CVE-2025-14847 (CVSS rating: 8.7), has been described as a case of improper dealing with of size parameter inconsistency, which arises when a program fails to appropriately deal with situations the place a size area is inconsistent with the precise size of the related information.
“Mismatched size fields in Zlib compressed protocol headers could enable a learn of uninitialized heap reminiscence by an unauthenticated shopper,” in response to a description of the flaw in CVE.org.
The flaw impacts the next variations of the database –
- MongoDB 8.2.0 by means of 8.2.3
- MongoDB 8.0.0 by means of 8.0.16
- MongoDB 7.0.0 by means of 7.0.26
- MongoDB 6.0.0 by means of 6.0.26
- MongoDB 5.0.0 by means of 5.0.31
- MongoDB 4.4.0 by means of 4.4.29
- All MongoDB Server v4.2 variations
- All MongoDB Server v4.0 variations
- All MongoDB Server v3.6 variations
The problem has been addressed in MongoDB variations 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30.
“An client-side exploit of the Server’s zlib implementation can return uninitialized heap reminiscence with out authenticating to the server,” MongoDB stated. “We strongly advocate upgrading to a set model as quickly as doable.”
If instant replace isn’t an choice, it is really useful to disable zlib compression on the MongoDB Server by beginning mongod or mongos with a networkMessageCompressors or a web.compression.compressors choice that explicitly omits zlib. The opposite compressor choices supported by MongoDB are snappy and zstd.
“CVE-2025-14847 permits a distant, unauthenticated attacker to set off a situation wherein the MongoDB server could return uninitialized reminiscence from its heap,” OP Innovate stated. “This might consequence within the disclosure of delicate in-memory information, together with inner state data, pointers, or different information which will help an attacker in additional exploitation.”
