A critical security flaw in MongoDB could allow unauthenticated attackers to extract sensitive data directly from server memory, prompting urgent patching warnings from security researchers and the database vendor.
The vulnerability, tracked as CVE-2025-14847, affects MongoDB’s implementation of zlib compression and exposes uninitialized heap memory to remote attackers without requiring login credentials.
Researchers say the issue significantly lowers the barrier for exploitation and could lead to large scale data leaks if left unaddressed.
According to security analyses published this week, the flaw exists in MongoDB’s network message decompression logic. By sending specially crafted network packets, an attacker can trigger MongoDB servers to return fragments of memory that were never intended to be shared.
This memory may contain sensitive information such as user data, credentials, cryptographic material or internal application secrets.
The vulnerability impacts a broad range of MongoDB versions across several major releases.
Affected versions include MongoDB 8.2.0 through 8.2.2, 8.0.0 through 8.0.16, 7.0.0 through 7.0.27, 6.0.0 through 6.0.26, 5.0.0 through 5.0.31 and 4.4.0 through 4.4.29. Older branches including versions 4.2, 4.0 and 3.6 are also affected and do not have backported fixes.
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: