A high-severity security flaw has been identified in MongoDB that could allow an unauthenticated user to read uninitialized heap memory.
The vulnerability, tracked as CVE-2025-14847 (CVSS score: 8.7), is described as a case of improper handling of length parameter mismatch. Length parameter mismatch occurs when a program fails to adequately handle scenarios where the length field does not match the actual length of the associated data.
According to the flaw description on CVE.org, “A mismatch in the length field of the Zlib compression protocol header could allow an uninitialized heap memory read by an unauthenticated client.”
This flaw affects the following versions of the database:
MongoDB 8.2.0 to 8.2.3 MongoDB 8.0.0 to 8.0.16 MongoDB 7.0.0 to 7.0.26 MongoDB 6.0.0 to 6.0.26 MongoDB 5.0.0 to 5.0.31 MongoDB 4.4.0 to 4.4.29 All MongoDB servers v4.2 versions All MongoDB Server v4.0 version All MongoDB servers v3.6 version
This issue was resolved in MongoDB versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30.
“Client-side abuse of the server’s zlib implementation could result in uninitialized heap memory being returned without authentication to the server,” MongoDB said. “We strongly recommend that you upgrade to the fixed version as soon as possible.”
If immediate updates are not an option, we recommend disabling zlib compression on your MongoDB server by starting mongod or mongos with the networkMessageCompressors or net.compression.compressors options that explicitly omit zlib. Other compression options supported by MongoDB are snappy and zstd.
“CVE-2025-14847 allows a remote unauthenticated attacker to cause a condition in which the MongoDB server may return uninitialized memory from the heap,” OP Innovate said. “This could potentially expose sensitive data in memory, including internal state information, pointers, or other data that could aid further exploitation by an attacker.”
Source link
