Fixing and finding
Jump to remediation plan
CVE ID

CVE-2025-14847

Published 2025-12-19
Updated 4 months ago
Vendor/s
MongoDB
Product/s
MongoDB and MongoDB Server
Version/s
3.6.0 > 4.4.30
KEV Status
Active Exploitation
Listed in CISA's Known Exploited Vulnerabilities catalogue. Active exploitation observed in the wild.
CVSS Score (v3.1)
7.5
/ 10
High
Severity Details
Base score
7.5 High
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Description

CVE-2025-14847 is a high-severity heap memory read vulnerability in MongoDB Server. Active exploitation reported; update to patched versions immediately.

CPE

MongoDB logo
MongoDB
Product Version Start Version End (excl.) Status
mongodb 3.6.0 4.4.30 vulnerable
mongodb 5.0.0 5.0.32 vulnerable
mongodb 6.0.0 6.0.27 vulnerable
mongodb 7.0.0 7.0.28 vulnerable
mongodb 8.0.0 8.0.17 vulnerable
mongodb 8.2.0 8.2.3 vulnerable

Related weakness (CWE)

CWE-130

Remediation plan

1

Apply official patches

Download and install the latest security updates provided by MongoDB for your specific release branch to address the Zlib header processing flaw.

2

Update affected systems

Upgrade MongoDB Server to versions 4.4.30, 5.0.32, 6.0.27, 7.0.28, 8.0.17, 8.2.3, or later to ensure the vulnerability is remediated across your infrastructure.

3

Restrict access

Use firewalls and network segmentation to ensure that MongoDB instances (typically port 27017) are not exposed to the public internet and are only accessible from trusted application servers.

4

Monitor for exploitation

Implement monitoring for anomalous network traffic targeting MongoDB ports, specifically looking for malformed wire protocol packets or repeated connection resets involving compressed headers.

Detection Guidance

Security teams should monitor network traffic for malformed MongoDB wire protocol messages that utilize Zlib compression. Specifically, look for packets where the declared length in the header does not match the actual payload size. Review MongoDB logs for unexpected mongod process crashes or 'mismatched length' errors. Intrusion Detection Systems (IDS) should be updated with signatures identifying invalid compression metadata in MongoDB traffic.

References

https://jira.mongodb.org/browse/SERVER-115508 Issue Tracking Patch Vendor Advisory http://www.openwall.com/lists/oss-security/2025/12/29/21 Mailing List https://www.smartkeyss.com/post/mongobleed-pre-auth-memory-disclosure-via-op_compressed-in-mongodb-cve-2025-14847 Technical Description Third Party Advisory https://www.vicarius.io/vsociety/posts/cve-2025-14847-detection-script-heap-memory-exposure-in-mongodb-server Exploit Third Party Advisory https://www.vicarius.io/vsociety/posts/cve-2025-14847-mitigation-script-heap-memory-exposure-in-mongodb-server Exploit Third Party Advisory https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-14847 Third Party Advisory US Government Resource

Sources

NIST National Vulnerability Database (NVD)
CISA Known Exploited Vulnerabilities (KEV)

Experience superior visibility and a simpler approach to cyber risk management

Get a demo
Free trial