"The vulnerability, tracked as CVE-2025-14847 (CVSS score: 8.7), has been described as a case of improper handling of length parameter inconsistency, which arises when a program fails to appropriately tackle scenarios where a length field is inconsistent with the actual length of the associated data. "Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client," according to a description of the flaw in CVE.org."
""An client-side exploit of the Server's zlib implementation can return uninitialized heap memory without authenticating to the server," MongoDB said. "We strongly recommend upgrading to a fixed version as soon as possible." If immediate update is not an option, it's recommended to disable zlib compression on the MongoDB Server by starting mongod or mongos with a networkMessageCompressors or a net.compression.compressors option that explicitly omits zlib. The other compressor options supported by MongoDB are snappy and zstd."
CVE-2025-14847 is a high-severity vulnerability involving improper handling of length parameter inconsistency in zlib-compressed protocol headers that can expose uninitialized heap memory to unauthenticated clients. Affected MongoDB Server versions include 3.6, all 4.0 and 4.2 releases, 4.4.0–4.4.29, 5.0.0–5.0.31, 6.0.0–6.0.26, 7.0.0–7.0.26, 8.0.0–8.0.16, and 8.2.0–8.2.3. The vulnerability can disclose sensitive in-memory data such as internal state information and pointers, which may assist attackers in further exploitation. The issue is addressed in MongoDB versions 4.4.30, 5.0.32, 6.0.27, 7.0.28, 8.0.17, and 8.2.3. Immediate upgrading to a fixed version is strongly recommended; where upgrading is not possible, disable zlib and use snappy or zstd instead.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]