CVE Tools

CVE-2025-14847

Zlib compressed protocol header length confusion may allow memory read

Published: Dec 19, 2025Updated: Jan 13, 2026 Sources: CVE List NVD BDUCWE-130

Description

Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.

In plain language

AI Act now

CVE-2025-14847 is a serious bug in MongoDB’s handling of compressed network data that can let an outside attacker read server memory without logging in; small businesses running affected MongoDB versions should act immediately.

Executive summary

Unauthenticated remote memory disclosure is possible in mongodb (Zlib compressed protocol handling) due to a compressed protocol header length confusion (CWE-130), where a mismatch in header length fields can cause uninitialized heap memory to be read.

If affected, business impact
Sensitive memory contents exposedPotential credential and key leakageIncreased account and data breach riskNeeds urgent server upgrade

What to do now

  1. Check whether you run MongoDB (or Red OS / Mailion builds that include MongoDB) and identify your exact server version.
  2. Compare your version to the fixed versions list below and plan an upgrade if you are on an affected version.
  3. Upgrade MongoDB to a fixed release: 4.4.30 or later, 5.0.32 or later, 6.0.27 or later, 7.0.28 or later, 8.0.17 or later, or 8.2.3 or later.
  4. If you cannot upgrade right away, contact your vendor/IT team for the vendor-specific mitigations referenced by the MongoDB security issue; do not rely on “no one will attack us” as protection.
Patch / advisory Usually a quick update

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:UC:HI:NA:N
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:HConfidentiality
High
I:NIntegrity
None
A:NAvailability
None

Weaknesses

Affected Products

mongodb
commercial·US
MongoDB Inc.
commercial·USaka mongodb server, mongodb, mongodb ops manager
ООО «Новые Облачные Технологии»
commercial·RUaka новые облачные, ооо облачные
and 1 more affected products View all →

Exploitability

CISA Known Exploited Vulnerability
Added to KEV:Dec 29, 2025
Remediation due:Jan 19, 2026

Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

1 exploit source identified

Exploit details including PoC links, Metasploit modules, and scanner templates are available after registration.

View exploit details
Official Patch Available

References

and 7 more references View all →
6

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2025-14847 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows