CVE-2025-14847 HIGH

Published: 2025-12-19 | Last Modified: 2026-01-13 | Status: Analyzed

Description

Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.

CVSS Metrics

Base Score: 7.5 (HIGH)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector	NETWORK
Attack Complexity	LOW
Privileges Required	NONE
User Interaction	NONE
Scope	UNCHANGED
Confidentiality Impact	HIGH
Integrity Impact	NONE
Availability Impact	NONE

Source: [email protected]

Type: Secondary

Exploitability Score: 3.9

Impact Score: 3.6

Base Score: 8.7 (HIGH)

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector	NETWORK
Attack Complexity	LOW
Attack Requirements	NONE
Privileges Required	NONE
User Interaction	NONE
Vulnerability Confidentiality	HIGH
Vulnerability Integrity	NONE
Vulnerability Availability	NONE
Subsequent Confidentiality	NONE
Subsequent Integrity	NONE
Subsequent Availability	NONE

Source: [email protected]

Type: Secondary

Weaknesses

Source	Type	Description
[email protected]	Secondary	en CWE-130

Affected Products

Vendor	Product	Version	Update	Type
mongodb	mongodb	*	<built-in method update of dict object at 0x72a9cc82b480>	Application
mongodb	mongodb	*	<built-in method update of dict object at 0x72a9cc64cd40>	Application
mongodb	mongodb	*	<built-in method update of dict object at 0x72a9cc64ffc0>	Application
mongodb	mongodb	*	<built-in method update of dict object at 0x72a9cc64e780>	Application
mongodb	mongodb	*	<built-in method update of dict object at 0x72a9cd0ba1c0>	Application
mongodb	mongodb	*	<built-in method update of dict object at 0x72a9cc66bb40>	Application

Affected Configurations

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:a:mongodb:mongodb::::::::`
Yes	`cpe:2.3:a:mongodb:mongodb::::::::`
Yes	`cpe:2.3:a:mongodb:mongodb:::::-:::*`
Yes	`cpe:2.3:a:mongodb:mongodb:::::-:::*`
Yes	`cpe:2.3:a:mongodb:mongodb:::::-:::*`
Yes	`cpe:2.3:a:mongodb:mongodb:::::-:::*`

References

https://jira.mongodb.org/browse/SERVER-115508
Source: [email protected]

Issue Tracking Patch Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/12/29/21
Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List
https://www.smartkeyss.com/post/mongobleed-pre-auth-memory-disclosure-via-op_compressed-in-mongodb-cve-2025-14847
Source: af854a3a-2127-422b-91ae-364da2661108

Technical Description Third Party Advisory
https://www.vicarius.io/vsociety/posts/cve-2025-14847-detection-script-heap-memory-exposure-in-mongodb-server
Source: af854a3a-2127-422b-91ae-364da2661108

Exploit Third Party Advisory
https://www.vicarius.io/vsociety/posts/cve-2025-14847-mitigation-script-heap-memory-exposure-in-mongodb-server
Source: af854a3a-2127-422b-91ae-364da2661108

Exploit Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-14847
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Third Party Advisory US Government Resource