Published on December 24, 2025
Critical MongoDB Flaw Leaks Sensitive Data Through zlib Compression
Severity
Critical
CVE-2025-14847 is a critical vulnerability caused by improper handling of uninitialized heap memory in MongoDB’s zlib network message compression implementation.
The flaw allows unauthenticated remote attackers to extract uninitialized memory contents from the MongoDB server by sending specially crafted compressed network messages. This exposed memory may contain sensitive information such as credentials, query data, or other confidential database contents.
The vulnerability affects MongoDB versions dating back to v3.6 and is particularly severe due to the lack of authentication requirements for exploitation.
| CVE Number | Description | CVSS Score (Severity) |
| CVE-2025-14847 | Uninitialized Heap Memory Exposure via zlib Compression in MongoDB Network Messaging | 9.8 (Critical) |
Attackers can exploit this weakness remotely by abusing the zlib compression mechanism used for MongoDB client-server communication, allowing disclosure of sensitive heap memory data without valid credentials.
Affected Version
MongoDB Server
- 8.2.0 – 8.2.2 → Upgrade to 8.2.3 or above
- 8.0.0 – 8.0.16 → Upgrade to 8.0.17 or above
- 7.0.0 – 7.0.26 → Upgrade to 7.0.28 or above
- 6.0.0 – 6.0.26 → Upgrade to 6.0.27 or above
- 5.0.0 – 5.0.31 → Upgrade to 5.0.32 or above
- 4.4.0 – 4.4.29 → Upgrade to 4.4.30 or above
- All MongoDB Server versions 4.2, 4.0, and 3.6 are affected
Recommendation
To mitigate the risk of exploitation, administrators are strongly advised to upgrade MongoDB to the latest patched versions immediately.
For environments where an upgrade cannot be performed right away, temporarily disable zlib compression by configuring mongod or mongos to exclude zlib using the networkMessageCompressors or net.compression.compressors setting.
Recommended safe values include:
- snappy,zstd
- disabled
Source
https://gbhackers.com/critical-mongodb-flaw-leaks-sensitive-data-through-zlib-compression/