Update 12/26/25: Article updated to correct that the flaw has not been officially classified as an RCE.
MongoDB has warned IT admins to immediately patch a high-severity memory-read vulnerability that may be exploited by unauthenticated attackers remotely.
Tracked as CVE-2025-14847, the security flaw affects multiple MongoDB and MongoDB Server versions and may be abused by unauthenticated threat actors in low-complexity attacks that don't require user interaction.
"An client-side exploit of the Server's zlib implementation can return uninitialized heap memory without authenticating to the server. We strongly recommend upgrading to a fixed version as soon as possible," MongoDB's security team said in a Friday advisory.
"We strongly suggest you upgrade immediately. If you cannot upgrade immediately, disable zlib compression on the MongoDB Server by starting mongod or mongos with a networkMessageCompressors or a net.compression.compressors option that explicitly omits zlib."
CVE-2025-14847 is due to an improper handling of length parameter inconsistency, which according to the associated CWE-130 classification, could potentially allow attackers to execute arbitrary code and potentially gain control of targeted devices in some cases.
To patch the security flaw and block potential attacks, admins are advised to immediately upgrade to MongoDB 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30.
The vulnerability impacts the following MongoDB versions:
MongoDB 8.2.0 through 8.2.3
MongoDB 8.0.0 through 8.0.16
... continue reading