MongoDB Vulnerability CVE-2025-14847 Under Active Exploitation Worldwide

MongoDB Vulnerability CVE-2025-14847 Under Active Exploitation Worldwide

Briefly

"The problem is rooted in MongoDB Server's zlib message decompression implementation ("message_compressor_zlib.cpp"). It affects instances with zlib compression enabled, which is the default configuration. Successful exploitation of the shortcoming could allow an attacker to extract sensitive information from MongoDB servers, including user information, passwords, and API keys."

""A flaw in zlib compression allows attackers to trigger information leakage," OX Security said. "By sending malformed network packets, an attacker can extract fragments of private data.""

"Cloud security company Wiz said CVE-2025-14847 stems from a flaw in the zlib-based network message decompression logic, enabling an unauthenticated attacker to send malformed, compressed network packets to trigger the vulnerability and access uninitialized heap memory without valid credentials or user interaction. "The affected logic returned the allocated buffer size (output.length()) instead of the actual decompressed data length, allowing undersized or malformed payloads to expose adjacent heap memory," security researchers Merav Bar and Amitai Cohen said. "Because the vulnerability is reachable prior to authentication and does not require user interaction, Internet-exposed MongoDB servers are particularly at risk.""