High severity flaw in MongoDB could allow memory leakage

Document database vendor MongoDB has advised customers to update immediately following the discovery of a flaw that could allow unauthenticated users to read uninitialized heap memory.

Designated CVE-2025-14847, the bug, mismatched length fields in zlib compressed protocol headers, could allow an attacker to execute arbitrary code and potentially seize control of a device.

The flaw affects the following MongoDB and MongoDB Server versions:

MongoDB 8.2.0 through 8.2.3

MongoDB 8.0.0 through 8.0.16

MongoDB 7.0.0 through 7.0.26

MongoDB 6.0.0 through 6.0.26

MongoDB 5.0.0 through 5.0.31

MongoDB 4.4.0 through 4.4.29

All MongoDB Server v4.2 versions

All MongoDB Server v4.0 versions

All MongoDB Server v3.6 versions

In its advisory, MongoDB “strongly suggested” that users upgrade immediately to the patched versions of the software: MongoDB 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30.

However, it said, “if you cannot upgrade immediately, disable zlib compression on the MongoDB Server by starting mongod or mongos with a networkMessageCompressors or a net.compression.compressors option that explicitly omits zlib.”

MongoDB, one of the most popular NoSQL document databases for developers, says it currently has more than 62,000 customers worldwide, including 70% of the Fortune 100.