MongoDB has warned IT admins to instantly patch a high-severity vulnerability that may be exploited in distant code execution (RCE) assaults concentrating on susceptible servers.
Tracked as CVE-2025-14847, this safety flaw impacts a number of MongoDB and MongoDB Server variations and might be exploited by unauthenticated menace actors in low-complexity assaults that do not require consumer interplay.
CVE-2025-14847 is because of an improper dealing with of size parameter inconsistency, which may enable attackers to execute arbitrary code and probably achieve management of focused units.
To patch the safety flaw and block potential assaults, admins are suggested to instantly improve to MongoDB 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30.
The vulnerability impacts the next MongoDB variations:
- MongoDB 8.2.0 by means of 8.2.3
- MongoDB 8.0.0 by means of 8.0.16
- MongoDB 7.0.0 by means of 7.0.26
- MongoDB 6.0.0 by means of 6.0.26
- MongoDB 5.0.0 by means of 5.0.31
- MongoDB 4.4.0 by means of 4.4.29
- All MongoDB Server v4.2 variations
- All MongoDB Server v4.0 variations
- All MongoDB Server v3.6 variations
“An client-side exploit of the Server’s zlib implementation can return uninitialized heap reminiscence with out authenticating to the server. We strongly suggest upgrading to a hard and fast model as quickly as attainable,” MongoDB’s safety staff stated in a Friday advisory.
“We strongly counsel you improve instantly. When you can’t improve instantly, disable zlib compression on the MongoDB Server by beginning mongod or mongos with a networkMessageCompressors or a internet.compression.compressors choice that explicitly omits zlib.”
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) added one other MongoDB RCE flaw (CVE-2019-10758) to its catalog of recognized exploited vulnerabilities 4 years in the past, tagging it as actively exploited and ordering federal businesses to safe their techniques, as mandated by Binding Operational Directive (BOD) 22-01.
MongoDB is a well-liked non-relational database administration system (DBMS) that, in contrast to relational databases similar to PostgreSQL and MySQL, shops knowledge in BSON (Binary JSON) paperwork as a substitute of tables.
The database software program is utilized by greater than 62,500 prospects worldwide, together with dozens of Fortune 500 firms.
Damaged IAM is not simply an IT downside – the impression ripples throughout your entire enterprise.
This sensible information covers why conventional IAM practices fail to maintain up with trendy calls for, examples of what “good” IAM appears like, and a easy guidelines for constructing a scalable technique.
