- A high-severity flaw, CVE-2025-14847 (CVSS 8.7), can let unauthenticated clients read uninitialized heap memory.
- The problem stems from mismatched length fields in zlib-compressed protocol headers.
- Many versions from 3.6 through 8.2 are affected; fixed releases and a temporary mitigation are available.
MongoDB disclosed a high-severity vulnerability identified as CVE-2025-14847 with a CVSS score of 8.7. The flaw can allow unauthenticated clients to read uninitialized heap memory via the server’s zlib handling. The issue was reported publicly on Dec. 27, 2025.
The problem is classified as improper handling of length parameter inconsistency; this describes a situation where a length field does not match the actual size of the associated data. The CVE description states that *”Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client.”*
The vulnerability affects the following releases: MongoDB 8.2.0–8.2.3, 8.0.0–8.0.16, 7.0.0–7.0.26, 6.0.0–6.0.26, 5.0.0–5.0.31, 4.4.0–4.4.29, and all Server v4.2, v4.0, and v3.6 versions. Vendors and operators should treat any listed release as potentially vulnerable until updated.
Fixes have been published in the following versions: 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30. MongoDB said that *”An client-side exploit of the Server’s zlib implementation can return uninitialized heap memory without authenticating to the server,”* and *”We strongly recommend upgrading to a fixed version as soon as possible.”*
As a temporary mitigation, operators can disable zlib compression on the server. See guidance to disable zlib compression, or start mongod/mongos with a networkMessageCompressors or net.compression.compressors setting that omits zlib; MongoDB also supports snappy and zstd compressors as alternatives. (zlib is a common data-compression library used to reduce message size.)
OP Innovate said, *”CVE-2025-14847 allows a remote, unauthenticated attacker to trigger a condition in which the MongoDB server may return uninitialized memory from its heap.”* This disclosure notes that returned memory could contain sensitive in-memory data useful for further exploitation.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
