CVE-2025-14847
BaseFortify
Publication date: 2025-12-19
Last updated on: 2025-12-19
Assigner: MongoDB, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mongodb | mongodb_server | 8.2 |
| mongodb | mongodb_server | 3.6 |
| mongodb | mongodb_server | 4.0 |
| mongodb | mongodb_server | 8.0 |
| mongodb | mongodb_server | 5.0 |
| mongodb | mongodb_server | 4.4 |
| mongodb | mongodb_server | 7.0 |
| mongodb | mongodb_server | 4.2 |
| mongodb | mongodb_server | 6.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-130 | The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves mismatched length fields in Zlib compressed protocol headers in MongoDB Server. It may allow an unauthenticated client to read uninitialized heap memory, potentially exposing sensitive data. It affects multiple versions of MongoDB Server prior to certain fixed releases.
How can this vulnerability impact me? :
An unauthenticated attacker could exploit this vulnerability to read uninitialized heap memory, which might contain sensitive information. This could lead to data exposure without requiring authentication, posing a significant security risk.