CVE-2025-14847
Zlib compressed protocol header length confusion may allow memory read
Description
Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.
In plain language
AI Act nowCVE-2025-14847 is a serious bug in MongoDB’s handling of compressed network data that can let an outside attacker read server memory without logging in; small businesses running affected MongoDB versions should act immediately.
Unauthenticated remote memory disclosure is possible in mongodb (Zlib compressed protocol handling) due to a compressed protocol header length confusion (CWE-130), where a mismatch in header length fields can cause uninitialized heap memory to be read.
What to do now
- Check whether you run MongoDB (or Red OS / Mailion builds that include MongoDB) and identify your exact server version.
- Compare your version to the fixed versions list below and plan an upgrade if you are on an affected version.
- Upgrade MongoDB to a fixed release: 4.4.30 or later, 5.0.32 or later, 6.0.27 or later, 7.0.28 or later, 8.0.17 or later, or 8.2.3 or later.
- If you cannot upgrade right away, contact your vendor/IT team for the vendor-specific mitigations referenced by the MongoDB security issue; do not rely on “no one will attack us” as protection.
CVSS Vector Breakdown
AV:NAttack VectorAC:LAttack ComplexityPR:NPrivileges RequiredUI:NUser InteractionS:UScopeC:HConfidentialityI:NIntegrityA:NAvailabilityWeaknesses
Affected Products
Exploitability
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploit details including PoC links, Metasploit modules, and scanner templates are available after registration.
View exploit detailsReferences
- Малварь ChocoPoC распространяется под видом фальшивых эксплоитовru-ru·Хакер (xakep.ru)·
- New ChocoPoC RAT Targets Vulnerability Researchers via Fake PoC Exploit Reposen·The Hacker News·
- ChocoPoc malware delivered via trojanized exploits on GitHuben-us·BleepingComputer·
- New ChocoPoC malware targets researchers via trojanized PoC exploitsen-us·BleepingComputer·
- Киберугрозы 2025-2026: какие уязвимости были и будут в трендеru·Positive Technologies (Хабр)· Summary only·
- Январский «В тренде VM»: уязвимости в Windows, React и MongoDBru·Positive Technologies (Хабр)· Summary only·
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2025-14847 and every CVE in our database. Create a free account — no credit card required.
Create Free Account