MongoDB has disclosed a critical security vulnerability tracked as CVE-2025-14847 that could allow attackers to extract uninitialized heap memory from database servers without authentication.
The flaw, affecting multiple MongoDB versions dating back to v3.6, stems from a client-side exploit in the server’s zlib compression implementation.
Vulnerability Overview
The security issue enables malicious actors to retrieve sensitive data from server memory by exploiting the zlib compression mechanism used for network message compression.
What makes this vulnerability particularly severe is that attackers can execute the exploit without needing to authenticate to the MongoDB server, significantly lowering the barrier for exploitation.
The vulnerability impacts an extensive range of MongoDB deployments, including versions 8.2.0 through 8.2.2, 8.0.0 through 8.0.16, 7.0.0 through 7.0.26, 6.0.0 through 6.0.26, 5.0.0 through 5.0.31, and 4.4.0 through 4.4.29.
Additionally, all instances of MongoDB Server versions 4.2, 4.0, and 3.6 are vulnerable.
MongoDB strongly recommends immediate upgrades to patched versions: 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30. These releases contain fixes that address the uninitialized memory exposure issue.
Organizations unable to upgrade immediately can implement a workaround by disabling zlib compression on MongoDB servers.
This involves starting mongod or mongos with the networkMessageCompressors or net.compression.compressors configuration option that explicitly excludes zlib. Safe alternative compression values include “snappy,zstd” or “disabled”.
Database administrators should prioritize patching this vulnerability given its critical nature and the absence of authentication requirements for exploitation.
The exposed heap memory could potentially contain sensitive information including credentials, query data, or other confidential database contents.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.