—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Information Disclosure Vulnerability in MongoDB 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

MongoDB 8.2.0 through 8.2.3

MongoDB 8.0.0 through 8.0.16

MongoDB 7.0.0 through 7.0.26

MongoDB 6.0.0 through 6.0.26

MongoDB 5.0.0 through 5.0.31

MongoDB 4.4.0 through 4.4.29

All MongoDB Server v4.2 versions

All MongoDB Server v4.0 versions

All MongoDB Server v3.6 versions

Overview

A vulnerability has been reported in MongoDB, which could allow a remote attacker to access sensitive information on the targeted system.

Target Audience:

All end-user organizations and individuals using MongoDB.

Risk Assessment:

High risk of unauthorized access to sensitive data.

Impact Assessment:

Potential for unauthorized access and information disclosure.

Description

MongoDB is a document-based database that stores information in flexible, JSON-like documents rather than traditional tables and rows, making it well suited for handling large or evolving data structures.

This vulnerability exists in MongoDB due to mismatched length fields in zlib compressed protocol headers, which can result in an out of bounds read of uninitialized heap memory.

Successful exploitation of this vulnerability could allow a remote attacker to access sensitive information on the targeted system.

Solution

Apply appropriate updates as mentioned in:

https://jira.mongodb.org/browse/SERVER-115508

Vendor Information

MongoDB

https://jira.mongodb.org/browse/SERVER-115508

References

MongoDB

https://jira.mongodb.org/browse/SERVER-115508

CVE Name

CVE-2025-14847

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmlL5bQACgkQ3jCgcSdc

ys/1kxAAl26mueyxe0binlAn9NGGTslllKMwEMuWO7cpo3W8GC3I4l+y+07/YVRe

l3I17onJ/WdjTWOm2Orhv6EPpdvJ1j0bqnI8O55Aq7Q1mRB/DIMyiqJXjNPMUJhh

LNMKLc4RBofexvwMLKKceMP/sNbhNuvTqvN7FTFmOgAADC8RHR7EL+zvP6y/lOh0

jFIkm5qTO91dfhgehu7kTVyQIBb0JGMwi4C08kFl7foZgd+GgghgfDC8LfBa5KM6

wPyzAVigNGUIBut98+++ljDxLWzsElyClDMG4IC54MGdiGxv9hJ+q0lt+Qu/Sq90

isrryLkMbNqUMDepEvDjgG2z93KK2MiBtpzabu3ZuY8gSuTO987jkjFBxgXeLIMD

5McOlXfCR4KwfwOMVInHoloRYC6LuJaljUTqx7FrXeGKXFfh/ZC75bXh5+HTXDo0

oBSa6GM8wZCDeINtBxk+Be7qswi/KZIx/W9Qhb8bELwKi5XQ9KGNQUoA77IYr45v

iJsS6nlOYOaz1ZA1bRmaZvAPBiOWFNToybxbU/MBqvaFd9E3bUJ30WA4QxibSuQ8

QnJWocCf2ImkHEETkHA8JeWPawl7KL71CpNDbNFLKZCBs4lqNfZYXk06vKrm0xkN

RD7L8gqpA8YsQmm3WnlC7KrzMyRbLVNbkEQxRItMVBUW9N5+/Cc=

=amvU

—–END PGP SIGNATURE—–