New MongoDB Flaw Lets Unauthenticated Attackers Learn Uninitialized Reminiscence

Dec 27, 2025Ravie LakshmananDatabase Safety / Vulnerability

A high-severity safety flaw has been disclosed in MongoDB that would permit unauthenticated customers to learn uninitialized heap reminiscence.

The vulnerability, tracked as CVE-2025-14847 (CVSS rating: 8.7), has been described as a case of improper dealing with of size parameter inconsistency, which arises when a program fails to appropriately deal with eventualities the place a size subject is inconsistent with the precise size of the related knowledge.

“Mismatched size fields in Zlib compressed protocol headers could permit a learn of uninitialized heap reminiscence by an unauthenticated shopper,” in response to a description of the flaw in CVE.org.

The flaw impacts the next variations of the database –

• MongoDB 8.2.0 by means of 8.2.3
• MongoDB 8.0.0 by means of 8.0.16
• MongoDB 7.0.0 by means of 7.0.26
• MongoDB 6.0.0 by means of 6.0.26
• MongoDB 5.0.0 by means of 5.0.31
• MongoDB 4.4.0 by means of 4.4.29
• All MongoDB Server v4.2 variations
• All MongoDB Server v4.0 variations
• All MongoDB Server v3.6 variations

The difficulty has been addressed in MongoDB variations 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30.

“An client-side exploit of the Server’s zlib implementation can return uninitialized heap reminiscence with out authenticating to the server,” MongoDB mentioned. “We strongly suggest upgrading to a hard and fast model as quickly as potential.”

If rapid replace isn’t an possibility, it is advisable to disable zlib compression on the MongoDB Server by beginning mongod or mongos with a networkMessageCompressors or a internet.compression.compressors possibility that explicitly omits zlib. The opposite compressor choices supported by MongoDB are snappy and zstd.

“CVE-2025-14847 permits a distant, unauthenticated attacker to set off a situation by which the MongoDB server could return uninitialized reminiscence from its heap,” OP Innovate mentioned. “This might outcome within the disclosure of delicate in-memory knowledge, together with inside state data, pointers, or different knowledge which will help an attacker in additional exploitation.”