[Vulnerability Notice] MongoDB Heap Memory Information Disclosure Vulnerability Risk Notice (CVE-2025-14847)

On December 19, 2025, the Alibaba Cloud Security Center detected that MongoDB officially released a security notice, disclosing a heap memory information leak vulnerability (CVE - 2025 - 14847) in the Zlib compression protocol. Unauthenticated remote attackers could read uninitialized heap memory in the target server's heap memory by sending a specially crafted Zlib compression packet, causing sensitive data leakage.

In order to avoid your business being affected, Alibaba Cloud Security recommends that you timely conduct security self-checking, if in the affected scope, please update and fix in time to avoid being invaded by external attackers.

vulnerability situation

MongoDB is a high-performance, scalable database for web applications with a distributed storage architecture. According to the official description, the affected version of MongoDB Server does not adequately check the length field in the message header when processing protocol messages compressed using Zlib. Attackers can construct tailor-made messages whose length fields do not match the actual compressed data When sent to the server (e.g., declaration lengths larger than actual data), the server may read from the heap memory buffer by declaration lengths during decompression and parsing. These excess data are old data that was previously left in the heap memory and was not initialized, causing the server to include these memory fragments in the response that should not otherwise be accessed.

reach

8.2.0< = MongoDB Server< 8.2.3

8.0.0< = MongoDB Server< 8.0.17

7.0.0< = MongoDB Server< 7.0.28

6.0.0< = MongoDB Server< 6.0.27

5.0.0< = MongoDB Server< 5.0.32

4.4.0< = MongoDB Server< 4.4.30

MongoDB Server 4.2

MongoDB Server 4.0

MongoDB Server 3.6

secure version

MongoDB Server> = 8.2.3

MongoDB Server> = 8.0.17

MongoDB Server> = 7.0.28

MongoDB Server> = 6.0.27

MongoDB Server> = 5.0.32

The MongoDB Server> = 4.4.30.

Repair suggestions

1. If you are using MongoDB, please refer to the relevant announcement for disposal.

2. If you are using Alibaba Cloud to build your own MongoDB service, please upgrade to the secure version after assessing the impact of your business. Mitigation:

To disable Zlib compression on MongoDB server, the method is as follows:

The vulnerability can be temporarily mitigated by disabling Zlib compression by setting the networkMessageCompressors or net.compression.compressors startup option for the mongod or mongos process and explicitly excluding zlib (you can use other example security values: snappy, zstd or directly set disabled to disable completely).

Note: It is recommended that you backup your data and fully test it before upgrading to avoid accidents.