AIKIDO-2025-10972

mongodb-org-database is vulnerable to Disclosure of Sensitive Heap Memory Data

Disclosure of Sensitive Heap Memory DataCVE-2025-14847

High Risk

This Affects:

mongodb-org-database

0.0.1 - 4.4.29

Fixed in 4.4.30

5.0.0 - 5.0.31

Fixed in 5.0.32

6.0.0 - 6.0.26

Fixed in 6.0.27

7.0.0 - 7.0.27

Fixed in 7.0.28

8.0.0 - 8.0.16

Fixed in 8.0.17

8.1.0 - 8.2.2

Fixed in 8.2.3

TL;DR

Affected versions of MongoDB Server are vulnerable to an unauthenticated information disclosure (CVE-2025-14847) due to improper handling of zlib-compressed network traffic, where malformed compressed frames can cause MongoDB to include uninitialized heap memory in server responses. An attacker with only network access and no authentication can trigger this behavior when compression is enabled, potentially exposing fragments of previous query results, internal server state, or sensitive values from process memory. The issue affects multiple MongoDB releases up to recent patch levels and is fixed in newer versions; mitigation requires upgrading, restricting network exposure, or disabling zlib compression until patches are applied.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

mongodb-org-database is vulnerable to Disclosure of Sensitive Heap Memory Data in versions 0.0.1 - 4.4.29, 5.0.0 - 5.0.31, 6.0.0 - 6.0.26, 7.0.0 - 7.0.27, 8.0.0 - 8.0.16 and 8.1.0 - 8.2.2.