Cyber Posture

CVE-2025-14847

HighCISA KEVActive ExploitationPublic PoC

Published: 19 December 2025

Published
19 December 2025
Modified
13 January 2026
KEV Added
29 December 2025
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.7670 99.0th percentile
Risk Priority 81 60% EPSS · 20% KEV · 20% CVSS

Description

Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server…

more

v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the vulnerability by requiring timely remediation through patching to fixed MongoDB Server versions that correct the mismatched length handling in Zlib headers.

SI-10 Information Input Validation good match
prevent

Requires validation of incoming protocol headers, including length fields in Zlib compressed data, to prevent processing inconsistent parameters that lead to uninitialized heap memory disclosure.

SI-16 Memory Protection partial match
prevent

Implements memory protection mechanisms such as heap isolation or initialization to reduce the risk of uninitialized memory exposure even if length mismatches occur.

Security SummaryAI

CVE-2025-14847 involves mismatched length fields in Zlib compressed protocol headers within MongoDB Server, potentially allowing an unauthenticated client to read uninitialized heap memory. This vulnerability affects multiple versions across several MongoDB Server branches: all v7.0 prior to 7.0.28, v8.0 prior to 8.0.17, v8.2 prior to 8.2.3, v6.0 prior to 6.0.27, v5.0 prior to 5.0.32, v4.4 prior to 4.4.30, v4.2 versions greater than or equal to 4.2.0, v4.0 versions greater than or equal to 4.0.0, and v3.6 versions greater than or equal to 3.6.0. It is associated with CWE-130 (Improper Handling of Length Parameter Inconsistency) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

An unauthenticated remote attacker can exploit this issue over the network with low attack complexity and no user interaction required. Successful exploitation enables disclosure of uninitialized heap memory contents, providing high-impact confidentiality without affecting integrity or availability.

Advisories indicate mitigation through upgrading to patched releases where available, such as MongoDB Server v7.0.28, v8.0.17, v8.2.3, v6.0.27, v5.0.32, and v4.4.30. References include MongoDB's JIRA ticket SERVER-115508, an OSS-Security mailing list announcement, and third-party resources offering detection and mitigation scripts for heap memory exposure in this context.

Details

CWE(s)
CWE-130
KEV Date Added
29 December 2025

Affected Products

mongodb
mongodb
3.6.0 — 4.4.30 · 5.0.0 — 5.0.32 · 6.0.0 — 6.0.27

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

CVE-2025-14847 is an unauthenticated remote vulnerability in MongoDB Server, a public-facing network service, enabling heap memory disclosure via exploitation of protocol handling flaws.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References