Get a Demo
Under Attack?
CVE-2025-14847: MongoDB zlib Compression Memory Disclosure
CVE-2025-14847: MongoDB zlib Compression Memory Disclosure

CVE-2025-14847: MongoDB zlib Compression Memory Disclosure

<br />
<b>Warning</b>:  Undefined variable $photo in <b>/nas/content/live/landing173/wp-content/themes/bricks/includes/elements/code.php(236) : eval()'d code</b> on line <b>33</b><br />
<br />
<b>Warning</b>:  Trying to access array offset on value of type null in <b>/nas/content/live/landing173/wp-content/themes/bricks/includes/elements/code.php(236) : eval()'d code</b> on line <b>33</b><br />
Avital Harel December 23, 2025

Executive Summary

A critical unauthenticated vulnerability (CVE-2025-14847) has been identified in MongoDB Server, affecting how the database processes zlib-compressed network traffic.

Under specific conditions, a remote attacker can trigger MongoDB to return uninitialized heap memory as part of a server response. Because this data originates from process memory, it may contain fragments of previously handled data, internal state, or sensitive values.

No authentication is required. The only prerequisite is network access to a MongoDB instance with compression enabled.

This issue turns internal memory into attacker-observable output.

What Is MongoDB?

MongoDB is a widely used NoSQL document database, commonly deployed as a core backend component in modern applications. It is frequently used for:

  • Application data storage
  • User profiles and session data
  • Internal service state
  • Analytics and logging pipelines

MongoDB supports network-level compression to reduce bandwidth usage between clients and servers. One of the supported compression algorithms is zlib, which is where this vulnerability originates.

Because MongoDB is often exposed inside cloud environments – sometimes unintentionally – flaws in its network protocol handling have a large blast radius.

What Versions Are Affected?

CVE-2025-14847 affects multiple MongoDB major releases:

Vulnerable versions include:

  • MongoDB 3.6.x
  • MongoDB 4.0.x
  • MongoDB 4.2.x
  • MongoDB 4.4.x4.4.29
  • MongoDB 5.0.x5.0.31
  • MongoDB 6.0.x6.0.26
  • MongoDB 7.0.x7.0.26
  • MongoDB 8.0.x8.0.16
  • MongoDB 8.2.x8.2.2

Fixed versions:

  • 4.4.30
  • 5.0.32
  • 6.0.27
  • 7.0.28
  • 8.0.17
  • 8.2.3

Root Cause: What Goes Wrong

The vulnerability exists in MongoDB’s handling of compressed protocol messages.

At a high level:

  • MongoDB accepts zlib-compressed requests at the network layer
  • Certain malformed compressed frames cause a length mismatch during decompression
  • As a result, MongoDB may include uninitialized heap memory in its response

The leaked memory originates from the MongoDB process itself and was never intended to be returned to clients.

Impact: What Data Can Leak?

Depending on heap layout and request timing, leaked memory may contain:This memory was never meant to be returned to the client. Depending on timing and heap layout, leaked data may include:

  • Parts of previous query results
  • Internal server state
  • Recently handled sensitive values
  • Residual authentication-related data

No authentication is required. Network access alone is sufficient.

How to Identify If You Are Vulnerable

1. Check Your MongoDB Version

    If you are running any MongoDB version listed above and have not upgraded to a fixed release, you should assume exposure.

    2. Check Whether Compression Is Enabled

      MongoDB enables network compression through client and server negotiation. If your deployment supports or allows zlib compression, the vulnerable code path may be reachable.

      3. Check Network Exposure

      Risk increases significantly if MongoDB is:

      • Accessible from untrusted networks
      • Exposed to VPC peers or shared cloud environments
      • Reachable by CI/CD systems, agents, or third-party services

      Any network path into MongoDB expands the attack surface for unauthenticated exploitation.

      How to Prevent It

      1. Upgrade MongoDB

            The most effective mitigation is upgrading to a fixed MongoDB release listed above. This ensures proper validation and safe handling of compressed network data.

            2. Restrict Network Access

              MongoDB should never be broadly reachable. Apply:

              • Firewall rules
              • Security group restrictions
              • Private network isolation

              Only trusted application components should be able to connect.

              3. Disable zlib Compression (If Possible)

                If upgrades are delayed, disabling zlib compression can reduce exposure until patches are applied.

                4. Monitor for Anomalous Protocol Behavior

                  Unexpected compressed requests, malformed frames, or abnormal response sizes should be treated as suspicious signals.

                  Securing MongoDB Deployments with Upwind

                  Patching is critical, but visibility matters just as much. Upwind helps teams manage risks like CVE-2025-14847 by identifying vulnerable MongoDB versions across cloud environments, detecting exposed database services and unintended network paths, monitoring runtime behavior for anomalous protocol activity, and highlighting risky configurations that unnecessarily expand blast radius.

                  401 Authorization Required

                  401 Authorization Required


                  nginx
                  Contents

                  Further Reading

                  Superhuman AI

                  Security AI Needs an Honest Scoreboard: What It’s Superhuman At, and Where It Comes Up Short

                  If you follow AI at all, you know the leaderboards. Every few weeks a model takes the top spot, and we all check where our favorite landed. But a leaderboard only tells you who's ahead, and it stays quiet about where any of those models still come up short. Which, conveniently, is the part that…
                  Focus Mode

                  Find What Matters with Upwind Focus Mode

                  Focus Mode is now available in the Upwind platform, giving security teams a faster, more focused way to work. Instead of navigating across the platform, you can switch to Focus Mode to slice and dice the Upwind platform by Vulnerability Management, Cloud Security Posture, Attack Surface Management, Administration, or Threats, and starting next week, AI…
                  Early Advisories

                  Introducing Early Advisories: Turn Emerging Threats into Action

                  We’re excited to introduce Early Advisories as part of the Upwind platform. Powered by Upwind's security research team, Early Advisories notify customers about emerging threats, including zero-days and supply chain attacks, before they receive a CVE identifier. Early Advisories are published directly into the Vulnerabilities module alongside CVE-based findings and automatically correlated with your live…