CVE-2025-14847

Name of the Vulnerable Software and Affected Versions MongoDB Server versions prior to 8.2.3 MongoDB Server versions prior to 8.0.17 MongoDB Server versions prior to 7.0.28 MongoDB Server versions prior to 6.0.27 MongoDB Server versions prior to 5.0.32 MongoDB Server versions prior to 4.4.30 MongoDB Server versions 4.2.0 and earlier MongoDB Server versions 4.0.0 and earlier MongoDB Server versions 3.6.0 and earlier

Description An issue exists in the handling of Zlib compressed protocol headers where mismatched length fields can allow an unauthenticated remote attacker to read uninitialized heap memory. This occurs because the server may return the size of the allocated memory buffer instead of the actual length of the decompressed data during the decompression logic that runs before authentication. This can lead to the exposure of sensitive information, such as passwords, API keys, session tokens, and other in-memory secrets. Approximately 87,000 MongoDB servers are estimated to be exposed to the internet and potentially vulnerable, with 42% of cloud environments containing at least one vulnerable instance. Real-world exploitation has been reported, including claims of a breach at Ubisoft affecting Rainbow Six Siege, where attackers allegedly used this flaw to leak memory and pivot into internal systems.

Recommendations Upgrade to version 8.2.3 or newer. Upgrade to version 8.0.17 or newer. Upgrade to version 7.0.28 or newer. Upgrade to version 6.0.27 or newer. Upgrade to version 5.0.32 or newer. Upgrade to version 4.4.30 or newer. For versions 4.2, 4.0, and 3.6, upgrade to a supported version or isolate the instances via firewall. As a temporary mitigation, disable zlib compression by setting net.compression.compressors to snappy,zstd or disabled in the configuration, or use the networkMessageCompressors parameter. Restrict MongoDB server exposure through firewall rules, implementing private networking or VPC-only access to ensure databases are not publicly accessible.