New MongoDB Flaw Lets Unauthenticated Attackers Read Uninitialized Memory

New MongoDB Flaw Lets Unauthenticated Attackers Read Uninitialized Memory

Posted on By CWS

Dec 27, 2025Ravie LakshmananDatabase Safety / Vulnerability
A high-severity safety flaw has been disclosed in MongoDB that would enable unauthenticated customers to learn uninitialized heap reminiscence.
The vulnerability, tracked as CVE-2025-14847 (CVSS rating: 8.7), has been described as a case of improper dealing with of size parameter inconsistency, which arises when a program fails to appropriately deal with situations the place a size subject is inconsistent with the precise size of the related knowledge.
“Mismatched size fields in Zlib compressed protocol headers could enable a learn of uninitialized heap reminiscence by an unauthenticated consumer,” based on an outline of the flaw in CVE.org.

The flaw impacts the next variations of the database –

MongoDB 8.2.0 by means of 8.2.3
MongoDB 8.0.0 by means of 8.0.16
MongoDB 7.0.0 by means of 7.0.26
MongoDB 6.0.0 by means of 6.0.26
MongoDB 5.0.0 by means of 5.0.31
MongoDB 4.4.0 by means of 4.4.29
All MongoDB Server v4.2 variations
All MongoDB Server v4.0 variations
All MongoDB Server v3.6 variations

The problem has been addressed in MongoDB variations 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30.
“An client-side exploit of the Server’s zlib implementation can return uninitialized heap reminiscence with out authenticating to the server,” MongoDB stated. “We strongly suggest upgrading to a set model as quickly as doable.”

If rapid replace shouldn’t be an possibility, it is really helpful to disable zlib compression on the MongoDB Server by beginning mongod or mongos with a networkMessageCompressors or a web.compression.compressors possibility that explicitly omits zlib. The opposite compressor choices supported by MongoDB are snappy and zstd.
“CVE-2025-14847 permits a distant, unauthenticated attacker to set off a situation through which the MongoDB server could return uninitialized reminiscence from its heap,” OP Innovate stated. “This might end result within the disclosure of delicate in-memory knowledge, together with inner state info, pointers, or different knowledge that will help an attacker in additional exploitation.”

The Hacker News Tags:, , , , , , ,

Related Posts

VS Code Forks Recommend Missing Extensions, Creating Supply Chain Risk in Open VSX VS Code Forks Recommend Missing Extensions, Creating Supply Chain Risk in Open VSX The Hacker News
Researchers Find VS Code Flaw Allowing Attackers to Republish Deleted Extensions Under Same Names Researchers Find VS Code Flaw Allowing Attackers to Republish Deleted Extensions Under Same Names The Hacker News
Microsoft Fixes 78 Flaws, 5 Zero-Days Exploited; CVSS 10 Bug Impacts Azure DevOps Server Microsoft Fixes 78 Flaws, 5 Zero-Days Exploited; CVSS 10 Bug Impacts Azure DevOps Server The Hacker News
SideWinder Adopts New ClickOnce-Based Attack Chain Targeting South Asian Diplomats SideWinder Adopts New ClickOnce-Based Attack Chain Targeting South Asian Diplomats The Hacker News
Legacy Python Bootstrap Scripts Create Domain-Takeover Risk in Multiple PyPI Packages Legacy Python Bootstrap Scripts Create Domain-Takeover Risk in Multiple PyPI Packages The Hacker News
CISA Warns of Suspected Broader SaaS Attacks Exploiting App Secrets and Cloud Misconfigs CISA Warns of Suspected Broader SaaS Attacks Exploiting App Secrets and Cloud Misconfigs The Hacker News