A critical security vulnerability has been uncovered in MongoDB that could potentially allow unauthorized users to access uninitialized heap memory.
The flaw, identified as CVE-2025-14847 with a CVSS score of 8.7, is attributed to improper handling of length parameter inconsistencies, a common issue where the length field does not align with the actual data length.
According to details on CVE.org, “Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client.”
The affected versions of MongoDB include:
- MongoDB 8.2.0 through 8.2.3
- MongoDB 8.0.0 through 8.0.16
- MongoDB 7.0.0 through 7.0.26
- And more…
Remediation for this issue has been implemented in MongoDB versions 8.2.3, 8.0.17, 7.0.28, and others.
MongoDB strongly advises users to upgrade to the patched versions promptly to mitigate the risk of client-side exploits leveraging the zlib implementation.
If immediate updates are not feasible, disabling zlib compression on the MongoDB Server is recommended as a temporary measure. Alternative compressor options like snappy and zstd can be utilized instead.
OP Innovate highlighted the severity of CVE-2025-14847, emphasizing the potential exposure of sensitive in-memory data that could aid attackers in further malicious activities.
