A high-severity security flaw has been identified in MongoDB that could allow an unauthenticated user to read uninitialized heap memory.
Vulnerabilities are tracked as follows CVE-2025-14847 (CVSS score: 8.7) is described as a case of improper handling of length parameter mismatch. This occurs when the program cannot properly handle scenarios where the length field does not match the actual length of the associated data.
According to the flaw description on CVE.org, “A mismatch in the length field of the Zlib compression protocol header could allow an uninitialized heap memory read by an unauthenticated client.”
This flaw affects the following versions of the database:
- MongoDB 8.2.0 – 8.2.3
- MongoDB 8.0.0 to 8.0.16
- MongoDB 7.0.0 to 7.0.26
- MongoDB 6.0.0 to 6.0.26
- MongoDB 5.0.0 to 5.0.31
- MongoDB 4.4.0 to 4.4.29
- All MongoDB servers v4.2 versions
- All versions of MongoDB server v4.0
- All MongoDB servers v3.6 versions
This issue was resolved in MongoDB versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30.
“Client-side abuse of the server’s zlib implementation could result in uninitialized heap memory being returned without authentication to the server,” MongoDB said. “We strongly recommend that you upgrade to the fixed version as soon as possible.”
If immediate updates are not an option, we recommend disabling zlib compression on your MongoDB server by starting mongod or mongos with the networkMessageCompressors or net.compression.compressors options that explicitly omit zlib. Other compression options supported by MongoDB are snappy and zstd.
“CVE-2025-14847 allows a remote unauthenticated attacker to cause a condition in which the MongoDB server may return uninitialized memory from the heap,” OP Innovate said. “This could potentially expose sensitive data in memory, including internal state information, pointers, or other data that could aid further exploitation by an attacker.”
