MongoDB hit by a serious security flaw
Monday, December 29, 2025
What
MongoDB has identified and reported a significant vulnerability, CVE-2025-14847, impacting multiple versions of its database server. The flaw stems from 'incompatible length fields in compressed Zlib protocol headers,' which enables an unauthenticated client to read uninitialized heap memory. This memory leak could be exploited by an attacker to execute arbitrary code and potentially gain full control over the affected system. MongoDB has released patches and advises users to update immediately, or to disable Zlib compression if immediate patching is not feasible.
Where
The vulnerability affects MongoDB's global customer base, which includes over 62,000 clients worldwide and 70% of Fortune 100 companies, indicating a broad organizational impact across various industries.
When
The vulnerability, identified as CVE-2025-14847, was recently disclosed, prompting MongoDB to issue an immediate advisory for customers to update their systems or apply mitigation steps.
Key Factors
- •CVE-2025-14847, rated as important with a CVSS score of 8.7
- •Vulnerability in Zlib compressed protocol headers leading to memory leak
- •Allows unauthenticated clients to read uninitialized heap memory
- •Potential for arbitrary code execution and system control
- •Affects MongoDB versions 8.2.0-8.2.3, 8.0.0-8.0.16, 7.0.0-7.0.26, 6.0.0-6.0.26, 5.0.0-5.0.31, 4.4.0-4.4.29, and all versions of MongoDB Server v4.2, v4.0, and v3.6
Takeaways
- →Immediate patching to the recommended versions (8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30) is critical.
- →Disabling Zlib compression serves as a temporary mitigation if immediate updates are not possible.
- →The widespread use of MongoDB means this vulnerability poses a significant risk across many organizations globally.
- →Unauthenticated memory access can lead to severe consequences, including full system compromise.
Opens original article on Le Monde Informatique
