Contact
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Cybersecurity is about sharing. Recognize the risk,
combat it, share your experiences, and encourage others
to do better than you.
Select language
2nd Edition GlitchZone RHC 320x100 2
970x120
Critical MongoDB Vulnerability Exposed: CVE-2025-14847

Critical MongoDB Vulnerability Exposed: CVE-2025-14847

23 December 2025 07:30

A critical vulnerability has been identified in MongoDB, one of the most widely used NoSQL database platforms globally.

This security flaw, tracked under CVE-2025-14847, allows attackers to extract sensitive data from server memory without requiring login.

The vulnerability is massive and affects nearly all supported (and unsupported) versions of MongoDB Server from recent years. The advisory lists impacts ranging from the modern 8.2 series up to version 3.6.

This issue affects the versions listed below:

  • MongoDB from version 8.2.0 to 8.2.3
  • MongoDB from version 8.0.0 to 8.0.16
  • MongoDB from version 7.0.0 to 7.0.26
  • MongoDB from version 6.0.0 to 6.0.26
  • MongoDB from version 5.0.0 to 5.0.31
  • MongoDB from version 4.4.0 to 4.4.29
  • All versions of MongoDB Server v4.2
  • All versions of MongoDB Server v4.0
  • All versions of MongoDB Server v3.6

The weakness is related to the MongoDB server’s handling of data compression , specifically the zlib library implementation. As noted in the advisory, a client-side exploit of the server’s zlib implementation could result in the release of uninitialized heap memory.

The vulnerability, with a CVSSv4 score of 8.7, is classified as “High Severity,” posing a significant risk to unpatched distributions, particularly since it does not require authentication to be exploited.

In computer security terms, this bug is often referred to as a “memory leak” or “information disclosure.” By sending a specially crafted request, a malicious client can trick the server into responding with blocks of data from its internal memory (heap).

Crucially, the report emphasizes that this can be achieved “without authenticating to the server.” This means an attacker doesn’t need a username or password; all they need is network access to the database port to potentially harvest snippets of sensitive data, which could include anything from recent queries to cached credentials residing in the server’s RAM.

Maintainers have released corrected builds that are free of the bug in question, which are as follows:

  • 8.2.3
  • 8.0.17
  • 7.0.28
  • 6.0.27
  • 5.0.32
  • 4.4.30

There are workarounds for teams that can’t stop their databases for an immediate upgrade. One option is to disable zlib compression entirely, as suggested by the warning , for example by starting mongod or mongos with a net.compression.compressors option that explicitly omits zlib.

Safe alternatives for compression include ” snappy ” or ” zstd “. Another option would be to run the process with compression disabled until the patch can be applied.

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

  • compression bug
  • CVE-2025-14847
  • cyber threat
  • data breach
  • database security
  • information disclosure
  • memory leak
  • mongodb
  • nosql
  • Vulnerability
  • zlib
Immagine del sito
Redazione

The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.