vulnerability
MongoDB: Mismatched length fields in Zlib compressed protocol headers may allow unauthenticated information disclosure (CVE-2025-14847)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:N/C:C/I:N/A:N) | Dec 19, 2025 | Dec 27, 2025 | Jan 5, 2026 |
Severity
8
CVSS
(AV:N/AC:L/Au:N/C:C/I:N/A:N)
Published
Dec 19, 2025
Added
Dec 27, 2025
Modified
Jan 5, 2026
Description
Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v7.0 versions prior to 7.0.28, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, and MongoDB Server v4.4 versions prior to 4.4.30.
Required Configuration: MongoDB Server must have network message compression enabled with Zlib (often enabled by default or negotiated via client).
Solutions
mongodb-upgrade-4_4_30mongodb-upgrade-5_0_32mongodb-upgrade-6_0_27mongodb-upgrade-7_0_28mongodb-upgrade-8_0_17mongodb-upgrade-8_2_3
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.