
MongoDB has issued an urgent warning for IT administrators to patch their systems immediately. The warning concerns a high-severity security vulnerability that can be exploited remotely without authentication.
The vulnerability is tracked as CVE-2025-14847. It allows attackers to read server memory and potentially access sensitive data. The attack requires low complexity and does not need user interaction.
According to MongoDB’s security team, the issue is related to the server’s zlib compression implementation. A malicious client can exploit this flaw to retrieve uninitialized heap memory without authenticating to the server.
In some scenarios, this vulnerability could also lead to arbitrary code execution and full system compromise. Due to the serious risk, MongoDB strongly recommends upgrading as soon as possible.
If an immediate upgrade is not possible, administrators should disable zlib compression by configuring networkMessageCompressors or net.compression.compressors to exclude zlib.
MongoDB has released patched versions, and users are advised to upgrade to one of the following versions immediately: 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30.
The vulnerability affects a wide range of MongoDB versions, including several older and end-of-life releases. All MongoDB Server versions 3.6, 4.0, and 4.2 are also impacted.
MongoDB is a widely used non-relational database platform with more than 62,500 customers worldwide, including many Fortune 500 companies. Prompt patching is essential to reduce the risk of real-world attacks.
