Ddos 
A critical vulnerability was disclosed in MongoDB, one of the world’s most popular NoSQL database platforms. The security flaw, tracked as CVE-2025-14847, allows attackers to siphon sensitive data from the server’s memory without ever logging in.
With a CVSSv4 score of 8.7, the vulnerability is rated as “High Severity” and poses a significant risk to unpatched deployments, particularly because it requires no authentication to exploit.
The vulnerability resides in how the MongoDB Server handles data compression. Specifically, it involves the zlib library implementation. According to the advisory, a specific “client-side exploit of the Server’s zlib implementation can return uninitialized heap memory”.
In cybersecurity terms, this is often referred to as a “memory leak” or “information disclosure” bug. By sending a specially crafted request, a malicious client can trick the server into responding with data chunks from its internal memory (heap).
Crucially, the report notes that this can be achieved “without authenticating to the server” . This means an attacker doesn’t need a username or password; they simply need network access to the database port to potentially harvest sensitive scraps of data—which could include anything from recent queries to cached credentials—residing in the server’s RAM.
The scope of the vulnerability is massive, affecting nearly every supported (and unsupported) version of MongoDB Server from the last several years. The advisory lists impacts ranging from the modern 8.2 series all the way back to v3.6.
This issue affects MongoDB versions:
- MongoDB 8.2.0 through 8.2.3
- MongoDB 8.0.0 through 8.0.16
- MongoDB 7.0.0 through 7.0.26
- MongoDB 6.0.0 through 6.0.26
- MongoDB 5.0.0 through 5.0.31
- MongoDB 4.4.0 through 4.4.29
- All MongoDB Server v4.2 versions
- All MongoDB Server v4.0 versions
- All MongoDB Server v3.6 versions
The maintainers have released fixed versions for supported branches. Administrators are strongly urged to upgrade immediately to the following versions to close the security gap :
- 8.2.3
- 8.0.17
- 7.0.28
- 6.0.27
- 5.0.32
- 4.4.30
For teams unable to take their databases offline for an immediate upgrade, a temporary workaround exists. The advisory suggests disabling zlib compression entirely.
“If you cannot upgrade immediately, disable zlib compression on the MongoDB Server by starting mongod or mongos with… a net.compression.compressors option that explicitly omits zlib” .
Safe alternatives for compression include “snappy” or “zstd,” or running with compression disabled until the patch can be applied.
Donate