A high-impact vulnerability has been identified in MongoDB that enables unauthenticated clients to read uninitialized heap memory from the server process.

The weakness, cataloged as CVE-2025-14847 (CVSS score: 8.7), is characterized as improper handling of length parameter inconsistency, a condition that occurs when software does not correctly validate situations where a length field does not match the real size of the associated data.

“Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client,” according to a description of the issue on CVE.org.

The following database versions are affected –

• MongoDB 8.2.0 through 8.2.3
• MongoDB 8.0.0 through 8.0.16
• MongoDB 7.0.0 through 7.0.26
• MongoDB 6.0.0 through 6.0.26
• MongoDB 5.0.0 through 5.0.31
• MongoDB 4.4.0 through 4.4.29
• All MongoDB Server v4.2 versions
• All MongoDB Server v4.0 versions
• All MongoDB Server v3.6 versions

The flaw has been remediated in MongoDB versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30.

“A client-side exploit of the server’s zlib implementation can cause uninitialized heap memory to be returned without requiring authentication,” MongoDB said. “We strongly recommend upgrading to a fixed version as soon as possible.”

If an immediate upgrade is not feasible, it is advised to disable zlib compression on the MongoDB server by starting mongod or mongos with a networkMessageCompressors or a net.compression.compressors configuration that explicitly excludes zlib. Alternative compressor options supported by MongoDB are snappy and zstd.

“CVE-2025-14847 allows a remote, unauthenticated attacker to trigger a situation in which the MongoDB server may return uninitialized memory from its heap,” OP Innovate said. “This may expose sensitive data present in memory, including internal state details, pointers, or other information that could support follow-on exploitation.”

If this content is useful for your operations team, consider following us on Google News, Twitter and LinkedIn to keep up with similar coverage.