A high-severity security flaw has been disclosed in MongoDB that could allow unauthenticated users to read uninitialized heap memory.
Vulnerability, tracked as CVE-2025-14847 (CVSS score: 8.7), is described as a case of improper handling of length parameter inconsistency, which arises when a program fails to appropriately deal with scenarios where the length field is inconsistent with the actual length of the corresponding data.
According to the description of the flaw at CVE.org, “Mismatched length fields in the Zlib Compressed Protocol header could allow uninitialized heap memory to be read by an unauthenticated client.”
This flaw affects the following versions of the database –
- MongoDB 8.2.0 to 8.2.3
- MongoDB 8.0.0 to 8.0.16
- MongoDB 7.0.0 to 7.0.26
- MongoDB 6.0.0 to 6.0.26
- MongoDB 5.0.0 to 5.0.31
- MongoDB 4.4.0 to 4.4.29
- All MongoDB Server v4.2 versions
- All MongoDB Server v4.0 versions
- All MongoDB Server v3.6 versions
The issue is addressed in MongoDB versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30.
MongoDB said, “Client-side exploitation of the server’s zlib implementation could return uninitialized heap memory without authenticating to the server.” “We strongly recommend upgrading to a fixed version as soon as possible.”
If immediate updates are not an option, it is recommended to disable zlib compression on the MongoDB server, by starting mongod or mongos with a NetworkMessageCompressor or a Net.compression.compressors option that explicitly excludes zlib. Other compressor options supported by MongoDB are snappy and zstd.
“CVE-2025-14847 allows a remote, unauthenticated attacker to trigger a condition in which a MongoDB server may return uninitialized memory from its heap,” OP Innovate said. “This could result in the exposure of sensitive in-memory data, including internal state information, pointers, or other data that could aid the attacker in further exploitation.”
