cbcvebase.
CVE-2025-14847
published 2025-12-19

CVE-2025-14847: Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all…

PriorityP190high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2026-01-19
Exploited in the wild
EPSS
83.01%
99.6th percentile
Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.

Affected

15 ranges
VendorProductVersion rangeFixed in
mongodbmongodb>= 3.6.0 < 4.4.304.4.30
mongodbmongodb>= 5.0.0 < 5.0.325.0.32
mongodbmongodb>= 6.0.0 < 6.0.276.0.27
mongodbmongodb>= 7.0.0 < 7.0.287.0.28
mongodbmongodb>= 8.0.0 < 8.0.178.0.17
mongodbmongodb>= 8.2.0 < 8.2.38.2.3
mongodb_incmongodb_server
mongodb_incmongodb_server
mongodb_incmongodb_server
mongodb_incmongodb_server>= 4.4 < 4.4.304.4.30
mongodb_incmongodb_server>= 5.0 < 5.0.325.0.32
mongodb_incmongodb_server>= 6.0 < 6.0.276.0.27
mongodb_incmongodb_server>= 7.0 < 7.0.287.0.28
mongodb_incmongodb_server>= 8.0 < 8.0.178.0.17
mongodb_incmongodb_server>= 8.2 < 8.2.38.2.3

Detection & IOCsextracted from sources · hover to see the quote

pathmessage_compressor_zlib.cpp
bytes
2a0000000100000000000000dc070000dd0700003200000002789c636080028144064620050002ca0073
yara
id: CVE-2025-14847
info:
  name: CVE-2025-14847 - Information Disclosure allowed in MongoDB Server
  author: Wiz Research
  severity: High
  description: |
    Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client in MongoDB.
  metadata:
    max-request: 1
  tags: mongodb,memory-leak,network

tcp:
  - host:
    - "{{Hostname}}"
    inputs:
    - data: "2a0000000100000000000000dc070000dd0700003200000002789c636080028144064620050002ca0073"
      type: hex

    read-size: 1024
    matchers:
    - type: dsl
      dsl:
      - "contains(toupper(zlib_decode(substr(data, 25))), 'BSON')"
      - "contains(toupper(data), 'BSON')"
      condition: or
  • The current PoC exploit omits client metadata; an attacker could modify it to include fake client metadata or reduce exploitation speed to evade this detection heuristic.
  • Monitor MongoDB logs for anomalous pre-authentication connections or unexpected crashes as indicators of CVE-2025-14847 exploitation.
  • Real-world attacks flood the server with thousands of connections to scrape large amounts of RAM; a single source IP generating a high volume of pre-auth TCP connections to MongoDB port is a strong exploitation signal.
  • Detect exploitation by inspecting MongoDB server responses for BSON signatures in unauthorized (pre-auth) memory leak responses — the Nuclei template checks for 'BSON' in zlib-decoded response data starting at offset 25.
  • The vulnerability is triggered via a malformed OP_COMPRESSED message with a spoofed uncompressedSize field; network inspection for oversized uncompressedSize values relative to actual payload size can identify exploit attempts.
  • The vulnerability is exploitable before authentication; any unauthenticated zlib-compressed OP_COMPRESSED message to MongoDB should be treated as suspicious and investigated.
  • ·CVE-2025-14847 is only exploitable when zlib compression is enabled on the MongoDB server. Disabling zlib (by omitting it from networkMessageCompressors or net.compression.compressors) mitigates the vulnerability if patching is not immediately possible.
  • ·Safe alternative compression options to replace zlib include Zstandard (zstd) and Snappy; fully disabling compression is also an option.
  • ·All MongoDB Server v3.6, v4.0, and v4.2 versions are affected with no in-branch fix available; these end-of-life versions must be upgraded to a supported patched release.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.7HIGH
vulncheck8.7HIGH
cisa8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.