MongoDB Server Memory Leak Vulnerability

Overview

• CVE: CVE-2025-14847

• Severity: Critical

• Date: 30 Dec 2025

Summary

MongoDB has released updates to address a high severity vulnerability in MongoDB Server affecting multiple versions. The flaw allows unauthenticated clients to read uninitialised heap memory via mismatched Zlib header lengths.

Affected Versions

Versions of MongoDB Server affected include:

• 3.6.x all versions

• 4.0.x all versions

• 4.2.x all versions

• 4.4.x prior to 4.4.30

• 5.0.x prior to 5.0.32

• 6.0.x prior to 6.0.27

• 7.0.x prior to 7.0.28

• 8.0.x prior to 8.0.17

• 8.2.x prior to 8.2.3

Vulnerability Breakdown

CVE-2025-14847

• Severity: Critical

• CVSS: 8.7

• Description: Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialised heap memory by an unauthenticated client.

• Impact: Potential information disclosure of heap memory contents.

• Conditions: Unauthenticated network access to the MongoDB Server.

Mitigation

• Update to the latest patched versions immediately:

  • 4.4.30

  • 5.0.32

  • 6.0.27

  • 7.0.28,

  • 8.0.17

  • 8.2.3

• If immediate patching is not possible, restrict network access to trusted clients only.

Summary for IT Teams

• Products: MongoDB Server

• Threat Level: High, CVSS 8.7

• Action Required: Patch immediately to the latest supported version.

Reference

• MongoDB CVE-2025-14847 Advisory

• NIST NVD CVE-2025-14847

Need Help?

If your organisation requires assistance identifying affected systems, enforcing browser updates or reviewing browser security policies, please contact our SOC team via soc@secure-iss.com.