A high-severity safety flaw has been disclosed in MongoDB that would permit unauthenticated customers to learn uninitialized heap reminiscence.
The vulnerability, tracked as CVE-2025-14847 (CVSS rating: 8.7), has been described as a case of improper dealing with of size parameter inconsistency, which arises when a program fails to appropriately deal with situations the place a size area is inconsistent with the precise size of the related information.
“Mismatched size fields in Zlib compressed protocol headers might permit a learn of uninitialized heap reminiscence by an unauthenticated consumer,” in line with an outline of the flaw in CVE.org.
The flaw impacts the next variations of the database –
- MongoDB 8.2.0 by way of 8.2.3
- MongoDB 8.0.0 by way of 8.0.16
- MongoDB 7.0.0 by way of 7.0.26
- MongoDB 6.0.0 by way of 6.0.26
- MongoDB 5.0.0 by way of 5.0.31
- MongoDB 4.4.0 by way of 4.4.29
- All MongoDB Server v4.2 variations
- All MongoDB Server v4.0 variations
- All MongoDB Server v3.6 variations
The difficulty has been addressed in MongoDB variations 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30.
“An client-side exploit of the Server’s zlib implementation can return uninitialized heap reminiscence with out authenticating to the server,” MongoDB mentioned. “We strongly advocate upgrading to a set model as quickly as potential.”
If speedy replace shouldn’t be an possibility, it is beneficial to disable zlib compression on the MongoDB Server by beginning mongod or mongos with a networkMessageCompressors or a internet.compression.compressors possibility that explicitly omits zlib. The opposite compressor choices supported by MongoDB are snappy and zstd.
“CVE-2025-14847 permits a distant, unauthenticated attacker to set off a situation through which the MongoDB server might return uninitialized reminiscence from its heap,” OP Innovate mentioned. “This might end result within the disclosure of delicate in-memory information, together with inside state info, pointers, or different information that will help an attacker in additional exploitation.”
Elevate your perspective with NextTech Information, the place innovation meets perception.
Uncover the most recent breakthroughs, get unique updates, and join with a world community of future-focused thinkers.
Unlock tomorrow’s traits as we speak: learn extra, subscribe to our e-newsletter, and change into a part of the NextTech group at NextTech-news.com
