AI description
CVE-2025-14847 is a vulnerability affecting MongoDB Server. It stems from improper handling of length parameter inconsistencies within the Zlib compressed protocol headers. Mismatched length fields in these headers can allow an unauthenticated client to read uninitialized heap memory. By sending a specially crafted request, a malicious client can trick the server into responding with data chunks from its internal memory. This vulnerability is present in a wide range of MongoDB Server versions, specifically all versions from 3.6 up to, but not including, the patched versions 7.0.28, 8.0.17, 8.2.3, 6.0.27, 5.0.32, and 4.4.30. This means an attacker doesn't need a username or password but needs network access to the database port to potentially harvest sensitive data residing in the server's RAM.
- Description
- Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.
- Source
- cna@mongodb.com
- NVD status
- Awaiting Analysis
CVSS 4.0
- Type
- Secondary
- Base score
- 8.7
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- HIGH
CVSS 3.1
- Type
- Secondary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Severity
- HIGH
- cna@mongodb.com
- CWE-130
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
23
MongoDB warns of critical flaw CVE-2025-14847 in zlib compression that lets unauthenticated attackers read uninitialized heap memory, risking sensitive data exposure across multiple versions. #Vulnerability https://t.co/LMtjCIpGxC
@threatcluster
24 Dec 2025
6 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CRITICAL: MongoDB heap memory leak (CVE-2025-14847, CVSS 7.5/8.7) allows attackers to leak sensitive data from server memory without authentication. Immediate patching required. How Orca can help ↓ https://t.co/qtJTAWS4UL https://t.co/EhKk2f9aDE
@orcasec
23 Dec 2025
147 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Critical MongoDB Leak: New CVE-2025-14847 Exposes Sensitive Data Across All Major Versions Read the full report on - https://t.co/JeVCV2vH5Y https://t.co/DycnqsSicg
@Iambivash007
23 Dec 2025
24 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨Alert🚨 CVE-2025-14847: Critical Unauthenticated MongoDB Flaw Leaks Sensitive Data via zlib Compression. 📊 447.8K Services are found on the https://t.co/ysWb28BTvF yearly. 🔗Hunter Link:https://t.co/mcr6hQy5Lu 👇Query HUNTER : https://t.co/q9rtuGfZuz="MongoDB" https:
@HunterMapping
23 Dec 2025
5313 Impressions
20 Retweets
95 Likes
47 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-14847 (CVSS 7.5): MongoDB Vulnerable to Remote Code Execution MongoDB is vulnerable to a Zlib compression header length confusion, allowing unauthenticated clients to read uninitialized heap memory due to mismatched length fields in compressed protocol headers. http
@zoomeye_team
23 Dec 2025
16512 Impressions
53 Retweets
194 Likes
90 Bookmarks
0 Replies
2 Quotes