Heap Memory Exposure in MongoDB Server Versions by MongoDB
CVE-2025-14847

8.7HIGH

Key Information:

Vendor: MongoDB
Status: Mongodb Server
Vendor: CVE Published:; 19 December 2025

What is CVE-2025-14847?

The vulnerability arises from mismatched length fields in Zlib compressed protocol headers within MongoDB Server, potentially allowing an unauthenticated client to access uninitialized heap memory. This could lead to unauthorized information exposure, affecting versions of MongoDB Server across multiple releases. Users are advised to update to the latest versions to mitigate risks associated with this vulnerability.

Affected Version(s)

MongoDB Server 8.2 < 8.2.3

MongoDB Server 8.0 < 8.0.17

MongoDB Server 7.0 < 7.0.28

References

https://jira.mongodb.org/browse/SERVER-115508

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 19, 2025
Vulnerability Reserved
Dec 17, 2025

JSON