[Security] Additional hardening for zlib decompression (CVE-2025-14847 follow-up

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Unresolved
    • Priority: Critical - P2
    • None
    • Affects Version/s: 3.6.0
    • Component/s: None
    • None
    • Server Programmability
    • ALL
    • Hide

      1. Use docker to reproduce locally by running

      docker run -d --name mongo-vulnerable -p 27017:27017 mongo:7.0.26

      2. Send malformed zlib-compressed packet

      echo -n "2a0000000100000000000000dc070000dd0700003200000002789c636080028144064620050002ca0073" | xxd -r -p | nc localhost 27017 | xxd

      3. Observe uninitialized heap memory in response

      • Response contains BSON signatures (e.g., 0x00 padding, string markers)
      • Memory beyond intended payload is leaked

       

      Alternatively,

      1. Run MongoDB Server version < 8.2.3 with zlib compression enabled
      2. Send malformed zlib packet: 2a0000000100000000000000dc070000dd0700003200000002789c636080028144064620050002ca0073
      3. Observe uninitialized heap memory in server response
      Show
      1. Use docker to reproduce locally by running docker run -d --name mongo-vulnerable -p 27017:27017 mongo:7.0.26 2. Send malformed zlib-compressed packet echo -n "2a0000000100000000000000dc070000dd0700003200000002789c636080028144064620050002ca0073" | xxd -r -p | nc localhost 27017 | xxd 3. Observe uninitialized heap memory in response Response contains BSON signatures (e.g., 0x00 padding, string markers) Memory beyond intended payload is leaked   Alternatively, Run MongoDB Server version < 8.2.3 with zlib compression enabled Send malformed zlib packet: 2a0000000100000000000000dc070000dd0700003200000002789c636080028144064620050002ca0073 Observe uninitialized heap memory in server response
    • Programmability 2026-01-05
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      There is a vulnerability that exists in MongoDB's zlib compression handling in src/mongo/transport/message_compressor_zlib.cpp.

      This bug is causing MongoDB to return uninitialized heap memory to unauthenticated clients due to a length mismatch in the decompression logic.

      Additional details:

      The original code in the decompress() function returned output.length() which represents the allocated buffer size, not the actual decompressed data length. This mismatch allowed attackers to read beyond the intended payload into uninitialized heap memory.

      Proposed Fix

      // File: src/mongo/transport/message_compressor_zlib.cpp
// Function: decompress()

// BEFORE  <= This is a vulnerable code
return {output.length()};

// AFTER   <= This is my proposed fix that fixes the root cause
return length;

            Assignee:
            Billy Donahue
            Reporter:
            Ravi Sastry Kadali
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: