Document database vendor MongoDB has advised customers to update immediately following the discovery of a flaw that could allow unauthenticated users to read uninitialized heap memory.
Designated CVE-2025-14847, the bug, mismatched length fields in zlib compressed protocol headers, could allow an attacker to execute arbitrary code and potentially seize control of a device.
The flaw affects the following MongoDB and MongoDB Server versions:
MongoDB 8.2.0 through 8.2.3
MongoDB 8.0.0 through 8.0.16
MongoDB 7.0.0 through 7.0.26
MongoDB 6.0.0 through 6.0.26
MongoDB 5.0.0 through 5.0.31
MongoDB 4.4.0 through 4.4.29
All MongoDB Server v4.2 versions
All MongoDB Server v4.0 versions
All MongoDB Server v3.6 versions
In its advisory, MongoDB “strongly suggested” that users upgrade immediately to the patched versions of the software: MongoDB 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30.
However, it said, “if you cannot upgrade immediately, disable zlib compression on the MongoDB Server by starting mongod or mongos with a networkMessageCompressors or a net.compression.compressors option that explicitly omits zlib.”
MongoDB, one of the most popular NoSQL document databases for developers, says it currently has more than 62,000 customers worldwide, including 70% of the Fortune 100.
This article originally appeared on InfoWorld.
No Responses