A high-severity safety flaw has been disclosed in MongoDB that might enable unauthenticated customers to learn uninitialized heap reminiscence.
The vulnerability, tracked as CVE-2025-14847 (CVSS rating: 8.7), has been described as a case of improper dealing with of size parameter inconsistency, which arises when a program fails to appropriately deal with eventualities the place a size discipline is inconsistent with the precise size of the related knowledge.
“Mismatched size fields in Zlib compressed protocol headers could enable a learn of uninitialized heap reminiscence by an unauthenticated shopper,” in accordance with a description of the flaw in CVE.org.
The flaw impacts the next variations of the database –
- MongoDB 8.2.0 by way of 8.2.3
- MongoDB 8.0.0 by way of 8.0.16
- MongoDB 7.0.0 by way of 7.0.26
- MongoDB 6.0.0 by way of 6.0.26
- MongoDB 5.0.0 by way of 5.0.31
- MongoDB 4.4.0 by way of 4.4.29
- All MongoDB Server v4.2 variations
- All MongoDB Server v4.0 variations
- All MongoDB Server v3.6 variations
The problem has been addressed in MongoDB variations 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30.
“An client-side exploit of the Server’s zlib implementation can return uninitialized heap reminiscence with out authenticating to the server,” MongoDB mentioned. “We strongly suggest upgrading to a set model as quickly as potential.”
If instant replace isn’t an possibility, it is really helpful to disable zlib compression on the MongoDB Server by beginning mongod or mongos with a networkMessageCompressors or a internet.compression.compressors possibility that explicitly omits zlib. The opposite compressor choices supported by MongoDB are snappy and zstd.
“CVE-2025-14847 permits a distant, unauthenticated attacker to set off a situation during which the MongoDB server could return uninitialized reminiscence from its heap,” OP Innovate mentioned. “This might consequence within the disclosure of delicate in-memory knowledge, together with inside state data, pointers, or different knowledge that will help an attacker in additional exploitation.”
