top of page
perceptive_background_267k.jpg

New MongoDB Flaw Lets Unauthenticated Attackers Read Uninitialized Memory

Published:

27 december 2025 om 07:52:00

Alert date:

27 december 2025 om 09:02:16

Source:

thehackernews.com

Click to open the original link from this advisory

Database & Storage, Zero-Day Vulnerabilities

A high-severity vulnerability (CVE-2025-14847) has been discovered in MongoDB with a CVSS score of 8.7. The flaw allows unauthenticated attackers to read uninitialized heap memory due to improper handling of length parameter inconsistency. This represents a significant security risk as it enables unauthorized memory access without requiring authentication. The vulnerability stems from inadequate handling of scenarios where length fields are inconsistent with actual data, potentially exposing sensitive information stored in memory.

Technical details

The vulnerability is a case of improper handling of length parameter inconsistency in Zlib compressed protocol headers. Mismatched length fields in Zlib compressed protocol headers allow reading of uninitialized heap memory by unauthenticated clients. An attacker can exploit the server's zlib implementation to return uninitialized heap memory without authenticating to the server, potentially disclosing sensitive in-memory data including internal state information, pointers, or other data that may assist in further exploitation.

Mitigation steps:

Upgrade to fixed MongoDB versions: 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30. If immediate update is not possible, disable zlib compression on MongoDB Server by starting mongod or mongos with networkMessageCompressors or net.compression.compressors option that explicitly omits zlib. Use alternative compressor options such as snappy and zstd instead.

Affected products:

MongoDB 8.2.0 through 8.2.3
MongoDB 8.0.0 through 8.0.16
MongoDB 7.0.0 through 7.0.26
MongoDB 6.0.0 through 6.0.26
MongoDB 5.0.0 through 5.0.31
MongoDB 4.4.0 through 4.4.29
All MongoDB Server v4.2 versions
All MongoDB Server v4.0 versions
All MongoDB Server v3.6 versions

Related links:

https://cwe.mitre.org/data/definitions/130.html
https://www.cve.org/CVERecord?id=CVE-2025-14847
https://jira.mongodb.org/browse/SERVER-115508
https://www.mongodb.com/docs/drivers/node/current/connect/connection-options/network-compression/
https://www.mongodb.com/docs/manual/reference/program/mongod/#std-option-mongod.--networkMessageCompressors
https://www.mongodb.com/docs/manual/reference/configuration-options/#mongodb-setting-net.compression.compressors
https://op-c.net/blog/mongodb-zlib-protocol-vulnerability-cve-2025-14847/

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page