SUMMARY

This is a critical fix to address CVE-2025-14847. Upgrade to 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30.

ISSUE DESCRIPTION AND IMPACT

An client-side exploit of the Server's zlib implementation can return uninitialized heap memory without authenticating to the server. We strongly recommend upgrading to a fixed version as soon as possible.

This issue affects MongoDB versions:

• MongoDB 8.2.0 through 8.2.3
• MongoDB 8.0.0 through 8.0.16
• MongoDB 7.0.0 through 7.0.26
• MongoDB 6.0.0 through 6.0.26
• MongoDB 5.0.0 through 5.0.31
• MongoDB 4.4.0 through 4.4.29
• All MongoDB Server v4.2 versions
• All MongoDB Server v4.0 versions
• All MongoDB Server v3.6 versions

WORKAROUND

We strongly suggest you upgrade immediately.

If you cannot upgrade immediately, disable zlib compression on the MongoDB Server by starting mongod or mongos with a networkMessageCompressors or a net.compression.compressors option that explicitly omits zlib. Example safe values include snappy,zstd or disabled

REMEDIATION

Upgrade to MongoDB 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30.