vulnerability
MongoDB: Mismatched length fields in Zlib compressed protocol headers may allow unauthenticated information disclosure (CVE-2025-14847)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:N/C:C/I:N/A:N) | Dec 19, 2025 | Dec 27, 2025 | May 20, 2026 |
Severity
8
CVSS
(AV:N/AC:L/Au:N/C:C/I:N/A:N)
Published
Dec 19, 2025
Added
Dec 27, 2025
Modified
May 20, 2026
Description
Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v7.0 versions prior to 7.0.28, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, and MongoDB Server v4.4 versions prior to 4.4.30.
Required Configuration: MongoDB Server must have network message compression enabled with Zlib (often enabled by default or negotiated via client).
Solutions
mongodb-upgrade-4_4_30mongodb-upgrade-5_0_32mongodb-upgrade-6_0_27mongodb-upgrade-7_0_28mongodb-upgrade-8_0_17mongodb-upgrade-8_2_3
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.