MongoDB has warned IT admins to immediately patch a high-severity vulnerability that can be exploited in remote code execution (RCE) attacks targeting vulnerable servers.
Tracked as CVE-2025-14847, this security flaw affects multiple MongoDB and MongoDB Server versions and can be exploited by unauthenticated threat actors in low-complexity attacks that don’t require user interaction.
CVE-2025-14847 is due to an improper handling of length parameter inconsistency, which can allow attackers to execute arbitrary code and potentially gain control of targeted devices.
To patch the security flaw and block potential attacks, admins are advised to immediately upgrade to MongoDB 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30.
The vulnerability impacts the following MongoDB versions:
- MongoDB 8.2.0 through 8.2.3
- MongoDB 8.0.0 through 8.0.16
- MongoDB 7.0.0 through 7.0.26
- MongoDB 6.0.0 through 6.0.26
- MongoDB 5.0.0 through 5.0.31
- MongoDB 4.4.0 through 4.4.29
- All MongoDB Server v4.2 versions
- All MongoDB Server v4.0 versions
- All MongoDB Server v3.6 versions
“An client-side exploit of the Server’s zlib implementation can return uninitialized heap memory without authenticating to the server. We strongly recommend upgrading to a fixed version as soon as possible,” MongoDB’s security team said in a Friday advisory.
“We strongly suggest you upgrade immediately. If you cannot upgrade immediately, disable zlib compression on the MongoDB Server by starting mongod or mongos with a networkMessageCompressors or a net.compression.compressors option that explicitly omits zlib.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added another MongoDB RCE flaw (CVE-2019-10758) to its catalog of known exploited vulnerabilities four years ago, tagging it as actively exploited and ordering federal agencies to secure their systems, as mandated by Binding Operational Directive (BOD) 22-01.
MongoDB is a popular non-relational database management system (DBMS) that, unlike relational databases such as PostgreSQL and MySQL, stores data in BSON (Binary JSON) documents instead of tables.
The database software is used by more than 62,500 customers worldwide, including dozens of Fortune 500 companies.
Broken IAM isn’t just an IT problem – the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what “good” IAM looks like, and a simple checklist for building a scalable strategy.