MongoDB has warned IT administrators to immediately patch a high-severity vulnerability that attackers can exploit in remote code execution (RCE) attacks against vulnerable servers.
Tracked as CVE-2025-14847, the security flaw affects multiple MongoDB and MongoDB Server versions. Moreover, unauthenticated threat actors can exploit the issue through low-complexity attacks that require no user interaction.
CVE-2025-14847 stems from improper handling of a length parameter inconsistency. As a result, attackers can execute arbitrary code and potentially take full control of targeted devices.
Recommended Fixes and Immediate Mitigation Steps
To address the flaw and prevent potential attacks, MongoDB advises administrators to immediately upgrade to one of the following versions:
- MongoDB 8.2.3
- MongoDB 8.0.17
- MongoDB 7.0.28
- MongoDB 6.0.27
- MongoDB 5.0.32
- MongoDB 4.4.30
The vulnerability impacts the following MongoDB releases:
- MongoDB 8.2.0 through 8.2.3
- MongoDB 8.0.0 through 8.0.16
- MongoDB 7.0.0 through 7.0.26
- MongoDB 6.0.0 through 6.0.26
- MongoDB 5.0.0 through 5.0.31
- MongoDB 4.4.0 through 4.4.29
- All MongoDB Server v4.2 versions
- All MongoDB Server v4.0 versions
- All MongoDB Server v3.6 versions
MongoDB Security Team Advisory
“An client-side exploit of the Server’s zlib implementation can return uninitialized heap memory without authenticating to the server. We strongly recommend upgrading to a fixed version as soon as possible,” MongoDB’s security team said in a Friday advisory.
“We strongly suggest you upgrade immediately. If you cannot upgrade immediately, disable zlib compression on the MongoDB Server by starting mongod or mongos with a networkMessageCompressors or a net.compression.compressors option that explicitly omits zlib.”
Previously, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added another MongoDB RCE vulnerability, CVE-2019-10758, to its catalog of known exploited vulnerabilities. Four years ago, CISA flagged the flaw as actively exploited and ordered federal agencies to secure affected systems under Binding Operational Directive (BOD) 22-01.
MongoDB Usage and Industry Adoption
MongoDB remains a widely used non-relational database management system (DBMS). Unlike relational databases such as PostgreSQL and MySQL, MongoDB stores data in BSON (Binary JSON) documents rather than tables.
Currently, more than 62,500 customers worldwide rely on MongoDB, including dozens of Fortune 500 companies.
Source: BleepingComputer, Sergiu Gatlan
Read more at Impreza News
