CVE-2025-14847

What is MongoDB?

MongoDB is one of the world's most widely deployed open-source NoSQL databases, used across enterprise and cloud-native applications for storing JSON-like documents. MongoDB supports a wire protocol that can optionally compress messages using zlib, snappy, or zstd compression. The compression layer processes client-supplied data before authentication — meaning any client, authenticated or not, can submit compressed messages that the server decompresses.

Overview

CVE-2025-14847 is an improper handling of length parameter inconsistency (CWE-130) in MongoDB's zlib-compressed wire protocol handling. When a client sends a message with deliberately inconsistent compressed/decompressed length fields, the server's decompression path uses an incorrectly sized or positioned buffer — reading uninitialized or previously freed heap memory — and may return that heap content to the client in the response. This allows an unauthenticated client to read arbitrary heap memory from the MongoDB server process without credentials.

The 10-day gap between patch and CISA KEV listing (December 19 → December 29) indicates the vulnerability was considered near-trivially exploitable or already actively exploited.

Affected Versions

Technical Details

The vulnerability (CWE-130: Improper Handling of Length Parameter Inconsistency) is in MongoDB's wire protocol decompression code for zlib-compressed messages. The zlib compressed message format includes:

• Compressed length: the size of the compressed data
• Uncompressed length: the expected size after decompression

When these two fields are deliberately inconsistent — for example, specifying a compressed length that doesn't match the actual compressed data size — MongoDB allocates a decompression buffer based on one length value but reads data based on another. This causes the decompression to read from an incorrect memory offset, potentially returning heap memory contents that were not part of the compressed message.

Attack scenario:

1. Unauthenticated client connects to MongoDB port (default 27017)
2. Client sends a zlib-compressed wire protocol message with intentionally mismatched length fields
3. MongoDB attempts decompression using incorrect length values
4. MongoDB returns heap memory to the client in the response body
5. Attacker analyzes the returned data for sensitive information: connection strings, cached query results, credentials, authentication tokens

Impact: Confidentiality only (C:H, I:N, A:N) — heap memory leakage without write or code execution capability. However, heap contents can include credentials, query data, and other sensitive application information.

Discovery

Not publicly attributed beyond MongoDB's internal identification.

Exploitation Context

CISA added the vulnerability to the KEV catalog with only a 10-day delay after the patch — the fastest turnaround in the 2025-2026 period for a non-network-based service vulnerability. This reflects either confirmed active exploitation or assessment of near-certain rapid exploitation due to the trivial attack surface (unauthenticated, no complexity). MongoDB instances exposed to the internet without authentication are common in cloud deployments.

Remediation

1. Upgrade MongoDB to the appropriate fixed version per the table above. The CISA deadline was January 19, 2026.
2. Restrict MongoDB network access — MongoDB should never be internet-accessible without authentication; place it behind a firewall, VPN, or application server layer.
3. Enable MongoDB authentication (--auth flag) — unauthenticated MongoDB instances are a systemic security risk beyond this specific CVE.
4. Disable zlib compression as a temporary workaround if immediate patching is not possible: use the compressors connection string option to restrict to uncompressed connections.
5. Rotate sensitive credentials and tokens if MongoDB was publicly accessible before patching — heap contents may have been exfiltrated.