• Posted by: Eng. Donya Bino
• December 27, 2025

MongoDB Flaw Lets Unauthenticated Users Read Heap Memory

MongoDB recently announced an extremely serious flaw in its security, which could allow an attacker who does not authenticate to obtain data from the heap on the MongoDB database server's memory.

This security issue is denoted by CVE 2025 14847 and has a score of 8.7 on the Common Vulnerability Scoring System (CVSS). The security issue was attributed to the way MongoDB uses zlib for data compression during network transfers; corrupted protocol headers may lead to an uninitialized server reading of the heap memory under certain circumstances.

In the advisory released on CVE.org, it was stated that the problem occurs when a length field in a compressed data message does not match the actual size of the associated data. Not verifying that this inconsistency is properly validated allows the server to read beyond its limits and leave less secure data available to a malicious remote customer without requiring that user be authenticated.

Affected Versions
The vulnerability impacts a wide range of MongoDB Server releases, including:
1. MongoDB 8.2.0 – 8.2.3
2. MongoDB 8.0.0 – 8.0.16
3. MongoDB 7.0.0 – 7.0.26
4. MongoDB 6.0.0 – 6.0.26
5. MongoDB 5.0.0 – 5.0.31
6. MongoDB 4.4.0 – 4.4.29
7. All MongoDB Server v4.2, v4.0, and v3.6 versions

MongoDB has released patches addressing the issue in the following versions:
8.2.3
8.0.17
7.0.28
6.0.27
5.0.32
4.4.30

Security Impact
According to MongoDB, an unauthenticated attacker can take advantage of a server's zlib compression handling resulting in the ability to obtain uninitialized heap memory from the database. Even though this vulnerability does not directly allow users to execute code, the information that has been revealed can potentially contain sensitive information that resides in memory. This includes critical internal state information and pointers to data in memory, which could be used for other types of attacks on MongoDB.

In a similar vein, OP Innovate, a security firm provides insight that a vulnerability like this is a significant enabler to allow for a much easier means of launching a more sophisticated attack due to the advantage the attacker has gained by having an understanding of how MongoDB functions at runtime.

Mitigation Recommendations
MongoDB highly encourages you to upgrade to a patched version as soon as possible. However, if for some reason you cannot upgrade right away, we offer temporary mitigation strategies.

You can disable zlib compression in your MongoDB instance by switching from zlib to alternative compression methods (snappy or zstd). Alternatively, you have the option to completely disable the use of zlib compression when launching your MongoDB instance by using either the "networkMessageCompressors" or "net.compression.compressors" configurations when starting the mongod or mongos processes.

Disabled zlib compression protects against exposure to the attack vector; however, it is important to perform a complete upgrade on your MongoDB software when you are able to do so.

Source: The Hacker News