High-severity MongoDB flaw CVE-2025-14847 could lead to server takeover

AndyC 26 December 2025

High-severity MongoDB flaw CVE-2025-14847 could lead to server takeover

The Complete Developer’s Guide to Essential Hackathon Software: 10 Categories That Separate Winners from Participants

The Complete Developer’s Guide to Essential Hackathon Software: 10 Categories That Separate Winners from Participants

High-severity MongoDB flaw CVE-2025-14847 could lead to server takeover

Pierluigi Paganini
December 25, 2025

MongoDB addressed a high-severity vulnerability that can be exploited to achieve remote code execution on vulnerable servers.

MongoDB addressed a high-severity vulnerability, tracked as CVE-2025-14847 (CVSS score 8.7), an unauthenticated, remote attacker can exploit the issue to execute arbitrary code on vulnerable servers.

“An client-side exploit of the Server’s zlib implementation can return uninitialized heap memory without authenticating to the server. We strongly recommend upgrading to a fixed version as soon as possible.” reads the advisory.

This flaw impacts the following MongoDB versions:

  • MongoDB 8.2.0 through 8.2.3
  • MongoDB 8.0.0 through 8.0.16
  • MongoDB 7.0.0 through 7.0.26
  • MongoDB 6.0.0 through 6.0.26
  • MongoDB 5.0.0 through 5.0.31
  • MongoDB 4.4.0 through 4.4.29
  • All MongoDB Server v4.2 versions
  • All MongoDB Server v4.0 versions
  • All MongoDB Server v3.6 versions

Versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30 addressed the issue.

Users should upgrade immediately or, if unable, disable zlib compression on MongoDB by configuring compression options to omit zlib.

“We strongly suggest you upgrade immediately.” continues the advisory. “If you cannot upgrade immediately, disable zlib compression on the MongoDB Server by starting mongod or mongos with a networkMessageCompressors or a net.compression.compressors option that explicitly omits zlib. Example safe values include snappy,zstd or disabled”

MongoDB is a popular open-source NoSQL database used to store and manage data in a flexible, document-based format.

Instead of tables and rows like traditional SQL databases, MongoDB stores data as JSON-like documents (called BSON). This makes it well suited for modern applications that need scalability, high performance, and flexible data models.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2025-14847)

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , , , , , , ,

More Stories

FBI seized ‘web3adspanels.org’ hosting stolen logins

FBI seized ‘web3adspanels.org’ hosting stolen logins

AndyC 25 December 2025
U.S. Federal Communications Commission (FCC) bans foreign-made drones over national security concerns

U.S. Federal Communications Commission (FCC) bans foreign-made drones over national security concerns

AndyC 25 December 2025
Italian regulator rules Apple’s ATT feature limits competition

Italian regulator rules Apple’s ATT feature limits competition

AndyC 25 December 2025
La Poste outage after a cyber attack disrupts digital banking and online services

La Poste outage after a cyber attack disrupts digital banking and online services

AndyC 25 December 2025
Essential CISO and IT Pro Guide to Entra ID Security and Passwordless Failure

Essential CISO and IT Pro Guide to Entra ID Security and Passwordless Failure

AndyC 24 December 2025
Red Hat GitLab breach exposes data of 21,000 Nissan customers

Red Hat GitLab breach exposes data of 21,000 Nissan customers

AndyC 24 December 2025

You may have missed

ThreatsDay Bulletin: Stealth Loaders, AI Chatbot Flaws AI Exploits, Docker Hack, and 15 More Stories

ThreatsDay Bulletin: Stealth Loaders, AI Chatbot Flaws AI Exploits, Docker Hack, and 15 More Stories

AndyC 26 December 2025
Best of 2025: UNC6395 and the Salesloft Drift Attack: Why Salesforce OAuth Integrations are a Growing Risk

Best of 2025: UNC6395 and the Salesloft Drift Attack: Why Salesforce OAuth Integrations are a Growing Risk

AndyC 26 December 2025
The Complete Developer’s Guide to Essential Hackathon Software: 10 Categories That Separate Winners from Participants

High-severity MongoDB flaw CVE-2025-14847 could lead to server takeover

AndyC 26 December 2025
5 eye-opening Google Android app tricks from 2025

How to migrate to a new Windows PC

AndyC 26 December 2025
LastPass 2022 Breach Led to Years-Long Cryptocurrency Thefts, TRM Labs Finds

LastPass 2022 Breach Led to Years-Long Cryptocurrency Thefts, TRM Labs Finds

AndyC 26 December 2025

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.