






















Published on:
Dec 26, 2025
You are affected if Aikido reports:
These checks are available in the free version of Aikido Security.
You are likely affected if:
Upgrade MongoDB to a patched version:
This vulnerability impacts organizations running self-managed MongoDB servers on affected versions where:
This includes MongoDB deployed on:
MongoDB disclosed a vulnerability in its network transport layer that can result in uninitialized server memory being sent to clients. Because the issue occurs during message decompression, it is triggered before authentication, allowing unauthenticated attackers to exploit it remotely.
The vulnerability is tracked as CVE-2025-14847.
The attack targets MongoDB’s handling of compressed network messages. By sending specially crafted compressed payloads, an attacker can cause MongoDB to miscalculate the length of decompressed data and include unintended memory contents in its response.
The vulnerability enables information disclosure, which may be used for reconnaissance, data harvesting, or chaining with other attacks.
Even partial memory disclosure can reveal sensitive application data, expose internal server state, and assist attackers in lateral movement.
{{cta}}
The issue resides in MongoDB’s network transport compression layer, specifically in the zlib decompression logic.
Incorrect handling of decompressed message lengths caused MongoDB to return uninitialized heap memory beyond the intended payload, resulting in memory disclosure.
MongoDB’s own regression tests and patches demonstrate that malformed compressed frames could reliably trigger the issue, confirming exploitability under attacker-controlled input.
This class of vulnerability typically arises from complex memory management in high-performance network code, insufficient validation of attacker-controlled input, and mismatches between allocated buffer sizes and actual data length.
Workloads are at risk if they:
Aikido helps teams reduce exposure to vulnerabilities like CVE-2025-14847 by focusing on early signals and real runtime risk, not just CVE listings.
This lets developers identify and fix real exposure quickly without waiting on delayed CVE feeds. Learn more about Aikido Security here.
CVE-2025-14847 is a critical MongoDB vulnerability that allows unauthenticated attackers to leak server memory via zlib compression.
MongoDB 8.2
MongoDB 8.0
MongoDB 7.0
MongoDB 6.0
MongoDB 5.0
MongoDB 4.4
MongoDB 4.2
MongoDB 4.0
MongoDB 3.6
Last updated on:
Mar 17, 2026
Tired of false positives?
Try Aikido like 100k others.
Start Now
Get a personalized walkthrough
Trusted by 100k+ teams
Book Now
Scan your app for IDORs and real attack paths
Trusted by 100k+ teams
Start Scanning
See how AI pentests your app
Trusted by 100k+ teams
Start Testing
Check If You're Vulnerable
Scan Repo
Run free scan
•
Vulnerabilities & Threats
Multiple official @redhat-cloud-services npm packages were compromised with a credential-stealing worm derived from the open-sourced Mini Shai-Hulud malware, targeting cloud credentials, and developer tooling across CI/CD pipelines.
•
Vulnerabilities & Threats
A polished Codex remote UI, the npm package codexui-android, has active development and thousands of weekly users. It has been quietly exfiltrating OpenAI auth tokens for the past month.
•
Vulnerabilities & Threats
Attackers injected a credential stealer into 200+ versions of popular Laravel-Lang packages, delivering a credential stealer targeting cloud keys, SSH keys, browsers, crypto wallets and more.
Secure your code, cloud, and runtime in one central system.
Find and fix vulnerabilities fast automatically.
No credit card required | Scan results in 32secs.


此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。