Update 12/26/25: Article updated to correct that the flaw has not been officially classified as an RCE.
MongoDB has warned IT admins to immediately patch a high-severity memory-read vulnerability that may be exploited by unauthenticated attackers remotely.
Tracked as CVE-2025-14847, the security flaw affects multiple MongoDB and MongoDB Server versions and may be abused by unauthenticated threat actors in low-complexity attacks that don’t require user interaction.
“An client-side exploit of the Server’s zlib implementation can return uninitialized heap memory without authenticating to the server. We strongly recommend upgrading to a fixed version as soon as possible,” MongoDB’s security team said in a Friday advisory.
“We strongly suggest you upgrade immediately. If you cannot upgrade immediately, disable zlib compression on the MongoDB Server by starting mongod or mongos with a networkMessageCompressors or a net.compression.compressors option that explicitly omits zlib.”
CVE-2025-14847 is due to an improper handling of length parameter inconsistency, which according to the associated CWE-130 classification, could potentially allow attackers to execute arbitrary code and potentially gain control of targeted devices in some cases.
To patch the security flaw and block potential attacks, admins are advised to immediately upgrade to MongoDB 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30.
The vulnerability impacts the following MongoDB versions:
- MongoDB 8.2.0 through 8.2.3
- MongoDB 8.0.0 through 8.0.16
- MongoDB 7.0.0 through 7.0.26
- MongoDB 6.0.0 through 6.0.26
- MongoDB 5.0.0 through 5.0.31
- MongoDB 4.4.0 through 4.4.29
- All MongoDB Server v4.2 versions
- All MongoDB Server v4.0 versions
- All MongoDB Server v3.6 versions
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a MongoDB mongo-express RCE flaw (CVE-2019-10758) to its catalog of known exploited vulnerabilities four years ago, tagging it as actively exploited and ordering federal agencies to secure their systems, as mandated by Binding Operational Directive (BOD) 22-01.
MongoDB is a popular non-relational database management system (DBMS) that, unlike relational databases such as PostgreSQL and MySQL, stores data in BSON (Binary JSON) documents instead of tables.
The database software is used by more than 62,500 customers worldwide, including dozens of Fortune 500 companies.
Broken IAM isn’t just an IT problem – the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what “good” IAM looks like, and a simple checklist for building a scalable strategy.
