Severe vulnerability in MongoDB, update immediately

MongoDB has warned IT admins to immediately patch a high-severity memory-read vulnerability that may be exploited by unauthenticated attackers remotely. Exploit code has been made publicly available and widespread exploitation may occur.

Tracked as CVE-2025-14847, the security flaw affects multiple MongoDB and MongoDB Server versions and may be abused by unauthenticated threat actors in low-complexity attacks that don't require user interaction.

CVE-2025-14847 is due to an improper handling of length parameter inconsistency, which according to the associated CWE-130 classification, could potentially allow attackers to execute arbitrary code and potentially gain control of targeted devices in some cases.

Exploit code has been made publicly available for this vulnerability. The exploit code facilitates the retrieval of secrets, such as database passwords. Widespread exploitation to steal credentials is likely in the near term. Exploitation to perform remote code execution is possible, but at the time of publishing this alert, is not yet known to be occurring.

Upgrade MongoDB immediately to 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30. If you cannot upgrade immediately, disable zlib compression on the MongoDB Server by starting mongod or mongos with a networkMessageCompressors or a net.compression.compressors option that explicitly omits zlib.

ITS is patching ITS-managed MongoDB installations. MiServer customers will need to identify their non-ITS-Managed and Unmanaged MiServer systems running vulnerable versions of MongoDB and apply updates.

If you have installed the MongoDB service on non-U-M devices, please check for updates and install them.

Please contact ITS Information Assurance through the ITS Service Center.

• MongoDB warns admins to patch severe vulnerability immediately
• MongoDB issue status