National Cyber Warfare Foundation (NCWF)

High-severity MongoDB flaw CVE-2025-14847 could lead to server takeover
0 user ratings		2025-12-25 10:51:29
milo
Blue Team (CND)
 - archive -- 
MongoDB addressed a high-severity vulnerability that can be exploited to achieve remote code execution on vulnerable servers. MongoDB addressed a high-severity vulnerability, tracked as CVE-2025-14847 (CVSS score 8.7), an unauthenticated, remote attacker can exploit the issue to execute arbitrary code on vulnerable servers. “An client-side exploit of the Server’s zlib implementation can return uninitialized heap […


MongoDB addressed a high-severity vulnerability that can be exploited to achieve remote code execution on vulnerable servers.





MongoDB addressed a high-severity vulnerability, tracked as CVE-2025-14847 (CVSS score 8.7), an unauthenticated, remote attacker can exploit the issue to execute arbitrary code on vulnerable servers.





“An client-side exploit of the Server’s zlib implementation can return uninitialized heap memory without authenticating to the server. We strongly recommend upgrading to a fixed version as soon as possible.” reads the advisory.





This flaw impacts the following MongoDB versions:






  • MongoDB 8.2.0 through 8.2.3




  • MongoDB 8.0.0 through 8.0.16




  • MongoDB 7.0.0 through 7.0.26




  • MongoDB 6.0.0 through 6.0.26




  • MongoDB 5.0.0 through 5.0.31




  • MongoDB 4.4.0 through 4.4.29




  • All MongoDB Server v4.2 versions




  • All MongoDB Server v4.0 versions




  • All MongoDB Server v3.6 versions





Versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30 addressed the issue.





Users should upgrade immediately or, if unable, disable zlib compression on MongoDB by configuring compression options to omit zlib.





“We strongly suggest you upgrade immediately.” continues the advisory. “If you cannot upgrade immediately, disable zlib compression on the MongoDB Server by starting mongod or mongos with a networkMessageCompressors or a net.compression.compressors option that explicitly omits zlib. Example safe values include snappy,zstd or disabled”





MongoDB is a popular open-source NoSQL database used to store and manage data in a flexible, document-based format.





Instead of tables and rows like traditional SQL databases, MongoDB stores data as JSON-like documents (called BSON). This makes it well suited for modern applications that need scalability, high performance, and flexible data models.





Follow me on Twitter: @securityaffairs and Facebook and Mastodon





Pierluigi Paganini





(SecurityAffairs – hacking, CVE-2025-14847)



Source: SecurityAffairs
Source Link: https://securityaffairs.com/186107/security/high-severity-mongodb-flaw-cve-2025-14847-could-lead-to-server-takeover.html

Comments
new comment
Nobody has commented yet. Will you be the first?
  
Forum
Blue Team (CND)


Copyright 2012 through 2026 - National Cyber Warfare Foundation - All rights reserved worldwide.