New MongoDB Flaw Lets Unauthenticated Attackers Read Uninitialized Heap Memory
A high-severity MongoDB vulnerability has been identified that enables unauthenticated clients to read uninitialized data from the server heap.
The vulnerability, tracked as CVE-2025-14847 (CVSS score: 8.7), is categorized as a case of improper handling of length parameter inconsistency, which occurs when software does not correctly handle situations where a length field does not match the real size of the related data.
“Mismatched length fields in zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client,” according to a description of the issue on CVE.org.
The flaw affects the following MongoDB Server versions –
- MongoDB 8.2.0 through 8.2.3
- MongoDB 8.0.0 through 8.0.16
- MongoDB 7.0.0 through 7.0.26
- MongoDB 6.0.0 through 6.0.26
- MongoDB 5.0.0 through 5.0.31
- MongoDB 4.4.0 through 4.4.29
- All MongoDB Server v4.2 versions
- All MongoDB Server v4.0 versions
- All MongoDB Server v3.6 versions
The bug has been remediated in MongoDB versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30.
“A client-side exploit of the Server’s zlib implementation can cause the server to return uninitialized heap memory without requiring authentication,” MongoDB said. “We strongly recommend upgrading to a fixed version as soon as possible.”
If an immediate upgrade is not feasible, it is advised to disable zlib compression on the MongoDB Server by starting mongod or mongos with a networkMessageCompressors or a net.compression.compressors configuration that explicitly excludes zlib. Supported alternative compressors in MongoDB are snappy and zstd.
“CVE-2025-14847 allows a remote, unauthenticated attacker to trigger a condition in which the MongoDB server may return uninitialized memory from its heap,” OP Innovate said. “This could expose sensitive in-memory data, such as internal state details, pointers, or other information that may support an attacker in further exploitation.”
If you track issues like this for defensive operations, consider subscribing via Google News, Twitter and LinkedIn to keep up with future coverage.
Reference: View article