Vulnerability Description
Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mongodb | Mongodb | >= 3.6.0, < 4.4.30 |
Related Weaknesses (CWE)
References
- https://jira.mongodb.org/browse/SERVER-115508Issue TrackingPatchVendor Advisory
- http://www.openwall.com/lists/oss-security/2025/12/29/21Mailing List
- https://www.smartkeyss.com/post/mongobleed-pre-auth-memory-disclosure-via-op_comTechnical DescriptionThird Party Advisory
- https://www.vicarius.io/vsociety/posts/cve-2025-14847-detection-script-heap-memoExploitThird Party Advisory
- https://www.vicarius.io/vsociety/posts/cve-2025-14847-mitigation-script-heap-memExploitThird Party Advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-Third Party AdvisoryUS Government Resource
FAQ
What is CVE-2025-14847?
CVE-2025-14847 is a vulnerability with a CVSS score of 7.5 (HIGH). Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 vers...
How severe is CVE-2025-14847?
CVE-2025-14847 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-14847?
Check the references section above for vendor advisories and patch information. Affected products include: Mongodb Mongodb.