Contact
Red Hot Cyber
Cybersecurity, Cybercrime News and Vulnerability Analysis
Home
TM RedHotCyber 970x120 042543
Critical MongoDB Vulnerability Exposed: CVE-2025-14847

Critical MongoDB Vulnerability Exposed: CVE-2025-14847

23 December 2025 07:30

A critical vulnerability has been identified in MongoDB, one of the most widely used NoSQL database platforms globally.

This security flaw, tracked under CVE-2025-14847, allows attackers to extract sensitive data from server memory without requiring login.

The vulnerability is massive and affects nearly all supported (and unsupported) versions of MongoDB Server from recent years. The advisory lists impacts ranging from the modern 8.2 series up to version 3.6.

This issue affects the versions listed below:

  • MongoDB from version 8.2.0 to 8.2.3
  • MongoDB from version 8.0.0 to 8.0.16
  • MongoDB from version 7.0.0 to 7.0.26
  • MongoDB from version 6.0.0 to 6.0.26
  • MongoDB from version 5.0.0 to 5.0.31
  • MongoDB from version 4.4.0 to 4.4.29
  • All versions of MongoDB Server v4.2
  • All versions of MongoDB Server v4.0
  • All versions of MongoDB Server v3.6

The weakness is related to the MongoDB server’s handling of data compression , specifically the zlib library implementation. As noted in the advisory, a client-side exploit of the server’s zlib implementation could result in the release of uninitialized heap memory.

The vulnerability, with a CVSSv4 score of 8.7, is classified as “High Severity,” posing a significant risk to unpatched distributions, particularly since it does not require authentication to be exploited.

In computer security terms, this bug is often referred to as a “memory leak” or “information disclosure.” By sending a specially crafted request, a malicious client can trick the server into responding with blocks of data from its internal memory (heap).

Crucially, the report emphasizes that this can be achieved “without authenticating to the server.” This means an attacker doesn’t need a username or password; all they need is network access to the database port to potentially harvest snippets of sensitive data, which could include anything from recent queries to cached credentials residing in the server’s RAM.

Maintainers have released corrected builds that are free of the bug in question, which are as follows:

  • 8.2.3
  • 8.0.17
  • 7.0.28
  • 6.0.27
  • 5.0.32
  • 4.4.30

There are workarounds for teams that can’t stop their databases for an immediate upgrade. One option is to disable zlib compression entirely, as suggested by the warning , for example by starting mongod or mongos with a net.compression.compressors option that explicitly omits zlib.

Safe alternatives for compression include ” snappy ” or ” zstd “. Another option would be to run the process with compression disabled until the patch can be applied.

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

Cropped RHC 3d Transp2 1766828557 300x300
The Red Hot Cyber Editorial Team provides daily updates on bugs, data breaches, and global threats. Every piece of content is validated by our community of experts, including Pietro Melillo, Massimiliano Brolli, Sandro Sana, Olivia Terragni, and Stefano Gazzella. Through synergy with our industry-leading partners—such as Accenture, CrowdStrike, Trend Micro, and Fortinet—we transform technical complexity into collective awareness. We ensure information accuracy by analyzing primary sources and maintaining a rigorous technical peer-review process.