Critical memory disclosure vulnerability in MongoDB Server allowing unauthenticated remote attackers to read heap memory through malformed Zlib compressed protocol headers. CISA has added this to KEV catalog due to confirmed active exploitation in the wild.
Data Source: CIRCL
Confidence: HIGH
Exploitation Method: DIRECT_NETWORK
CVE Published: 2025-12-19
Added to CISA KEV: 2025-12-29 10 DAYS BETWEEN CVE AND KEV
"CVE-2025-14847 allows a remote, unauthenticated attacker to trigger a condition in which the MongoDB server may return uninitialized memory from its heap," OP Innovate said. "This could result in the disclosure of sensitive in-memory data, including internal state information, pointers, or other data that may assist an attacker in further exploitation." Found this article interesting?
Successful exploitation of the shortcoming could allow an attacker to extract sensitive information from MongoDB servers, including user information, passwords, and API keys.This includes both internet-exposed and internal resources. The exact details surrounding the nature of attacks exploiting the flaw are presently unknown. Users are advised to update to MongoDB versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30. Patches for MongoDB Atlas have been applied.
Successful exploitation of the vulnerability could allow an attacker with local network access to send a specially crafted URL to access certain administration functions without login credentials.
CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2025-14847