A high-risk security vulnerability has been disclosed in MongoDB that could allow an unauthenticated user to read uninitialized heap memory.
The vulnerability is tracked as CVE-2025-14847 (CVSS score: 8.7) and is described as a case of mishandling of length parameter inconsistencies, which occurs when a program fails to properly handle situations where the length field does not match the actual length of the associated data.
According to the description of the flaw on CVE.org, "A mismatch in the length field in the Zlib compression protocol header could allow an unauthenticated client to read uninitialized heap memory."
The flaw affects the following database versions -
MongoDB 8.2.0 to 8.2.3
MongoDB 8.0.0 to 8.0.16
MongoDB 7.0.0 to 7.0.26
MongoDB 6.0.0 to 6.0.26
MongoDB 5.0.0 to 5.0.31
MongoDB 4.4.0 to 4.4.29
All MongoDB Server v4.2 Versions
All MongoDB Server v4.0 Versions
All MongoDB Server v3.6 Versions
This issue has been resolved in MongoDB versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30.
