20251224-bleepingcomputer.com-69c5f

< Back to index

MongoDB warns admins to patch severe RCE flaw immediately

Published:

24 December 2025 at 14:18:36

Alert date:

24 December 2025 at 16:02:33

Source:

bleepingcomputer.com

Database & Storage, Zero-Day Vulnerabilities

MongoDB has issued an urgent warning to administrators about a high-severity vulnerability that enables remote code execution (RCE) attacks on vulnerable servers. The company is urging immediate patching to prevent exploitation of this critical flaw that could allow attackers to execute arbitrary code remotely on affected MongoDB installations.

Technical details

CVE-2025-14847 is a high-severity vulnerability affecting MongoDB servers that can be exploited for remote code execution (RCE) attacks. The flaw is due to improper handling of length parameter inconsistency and can be exploited by unauthenticated threat actors in low-complexity attacks that don't require user interaction. A client-side exploit of the Server's zlib implementation can return uninitialized heap memory without authenticating to the server, allowing attackers to execute arbitrary code and potentially gain control of targeted devices.

Mitigation steps:

Immediately upgrade to MongoDB 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30. If immediate upgrade is not possible, disable zlib compression on the MongoDB Server by starting mongod or mongos with a networkMessageCompressors or a net.compression.compressors option that explicitly omits zlib.

Affected products:

MongoDB 8.2.0 through 8.2.3
MongoDB 8.0.0 through 8.0.16
MongoDB 7.0.0 through 7.0.26
MongoDB 6.0.0 through 6.0.26
MongoDB 5.0.0 through 5.0.31
MongoDB 4.4.0 through 4.4.29
All MongoDB Server v4.2 versions
All MongoDB Server v4.0 versions
All MongoDB Server v3.6 versions