CVE 8.7 HIGH

Zlib compressed protocol header length confusion may allow memory read_CVE-2025-14847

December 19, 2025 invoker category_cve
8.7 / 10
HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.

AI Analysis

Zlib compressed protocol header length confusion may allow memory read

Basic Information

ID CVE-2025-14847
Source mongodb
Published Dec 19, 2025 at 11:00

Affected Product

Vendor MongoDB Inc.
Product MongoDB Server
Version 8.2
Affected Versions MongoDB Inc. MongoDB Server 8.2
MongoDB Inc. MongoDB Server 8.0
MongoDB Inc. MongoDB Server 7.0
MongoDB Inc. MongoDB Server 6.0
MongoDB Inc. MongoDB Server 5.0
MongoDB Inc. MongoDB Server 4.4
MongoDB Inc. MongoDB Server 4.2
MongoDB Inc. MongoDB Server 4.0
MongoDB Inc. MongoDB Server 3.6

CWE Classification

CWE-130

AI Assessment

AI Score 8.7 / 10
AI Severity High
Vendor MongoDB Inc.
Product MongoDB Server
Version 3.6.0, 4.0.0, 4.2.0, 4.4.0, 5.0.0, 6.0.0, 7.0.0, 8.0.0, 8.2.0

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.