Latest MongoDB vulnerability: CVE-2025-14847 #
MongoDB disclosed a pre-authentication memory leak vulnerability affecting multiple versions of the server. This flaw results from mismatched length fields in Zlib-compressed protocol headers, which may allow a remote, unauthenticated adversary to read uninitialized heap memory. This exposure of sensitive data can lead to unauthorized information disclosure. The vulnerability has been designated CVE-2025-14847 and has been rated high with a CVSS score of 7.5.
There is evidence that this vulnerability is being actively exploited in the wild.
The following versions are affected
- MongoDB Server 3.6.x all versions
- MongoDB Server 4.0.x all versions
- MongoDB Server 4.2.x all versions
- MongoDB Server 4.4.x versions prior to 4.4.30
- MongoDB Server 5.0.x versions prior to 5.0.32
- MongoDB Server 6.0.x versions prior to 6.0.27
- MongoDB Server 7.0.x versions prior to 7.0.28
- MongoDB Server 8.0.x versions prior to 8.0.17
- MongoDB Server 8.2.x versions prior to 8.2.3
What is MongoDB? #
MongoDB is a non-relational, document-oriented database that stores data in flexible, BSON-formatted structures rather than fixed tabular rows and columns, allowing for dynamic schemas and horizontal scaling across distributed systems.
What is the impact? #
Successful exploitation of the vulnerability would allow an adversary to potentially obtain sensitive data from the server, which may result in further compromise.
Are updates or workarounds available? #
Users are encouraged to update to the latest version as quickly as possible:
- MongoDB Server 3.6.x end-of-life (EOL) versions upgrade to a supported version
- MongoDB Server 4.0.x end-of-life (EOL) versions upgrade to a supported version
- MongoDB Server 4.2.x end-of-life (EOL) versions upgrade to a supported version
- MongoDB Server 4.4.x upgrade to version 4.4.30 or later
- MongoDB Server 5.0.x upgrade to version 5.0.32 or later
- MongoDB Server 6.0.x upgrade to version 6.0.27 or later
- MongoDB Server 7.0.x upgrade to version 7.0.28 or later
- MongoDB Server 8.0.x upgrade to version 8.0.17 or later
- MongoDB Server 8.2.x upgrade to version 8.2.3 or later
How to find potentially vulnerable systems with runZero #
From the Software Inventory, use the following query to locate potentially impacted assets:
((vendor:=MongoDB AND (product:=MongoDB OR product:="MongoDB MongoDB")) OR (product:="MongoDB%Server")) AND
(version:>0 AND (
(version:>=3.6.0 AND version:<3.7) OR
(version:>=4.0.0 AND version:<4.1) OR
(version:>=4.2.0 AND version:<4.3) OR
(version:>=4.4.0 AND version:<4.4.30) OR
(version:>=5.0.0 AND version:<5.0.32) OR
(version:>=6.0.0 AND version:<6.0.27) OR
(version:>=7.0.0 AND version:<7.0.28) OR
(version:>=8.0.0 AND version:<8.0.17) OR
(version:>=8.2.0 AND version:<8.2.3)))
