A critical security flaw in MongoDB could allow unauthenticated attackers to extract sensitive data directly from server memory, prompting urgent patching warnings from security researchers and the database vendor.
The vulnerability, tracked as CVE-2025-14847, affects MongoDB’s implementation of zlib compression and exposes uninitialized heap memory to remote attackers without requiring login credentials.
Researchers say the issue significantly lowers the barrier for exploitation and could lead to large scale data leaks if left unaddressed.
According to security analyses published this week, the flaw exists in MongoDB’s network message decompression logic. By sending specially crafted network packets, an attacker can trigger MongoDB servers to return fragments of memory that were never intended to be shared.
This memory may contain sensitive information such as user data, credentials, cryptographic material or internal application secrets.
The vulnerability impacts a broad range of MongoDB versions across several major releases.
Affected versions include MongoDB 8.2.0 through 8.2.2, 8.0.0 through 8.0.16, 7.0.0 through 7.0.27, 6.0.0 through 6.0.26, 5.0.0 through 5.0.31 and 4.4.0 through 4.4.29. Older branches including versions 4.2, 4.0 and 3.6 are also affected and do not have backported fixes.
MongoDB has released patched versions to address the issue, including 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32 and 4.4.30. Security teams are being urged to upgrade immediately, particularly for servers exposed to the internet or reachable through internal network movement.
For organizations unable to patch right away, MongoDB has recommended temporary mitigations. These include disabling zlib compression in the database configuration or switching to alternative compression algorithms such as Snappy or Zstandard.
Administrators are also advised to close unused ports and restrict network access to MongoDB instances wherever possible.
Technical reviews of the fix show that the vulnerability stemmed from incorrect handling of buffer sizes during decompression.
The original code returned the size of allocated memory rather than the actual length of decompressed data, leading to unintended memory disclosure.
The patch corrects this behavior by ensuring only valid data lengths are returned.
Security researchers warn that while exploiting the flaw to extract large volumes of meaningful data may require repeated requests over time, the risk increases the longer a vulnerable server remains exposed. Any MongoDB deployment handling sensitive or regulated data is considered at elevated risk.
