CVE-2025-14847

HighCISA KEVActive ExploitationPublic PoC

Published: 19 December 2025

Published

19 December 2025

Modified

13 January 2026

KEV Added

29 December 2025

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.6146 98.3th percentile

Risk Priority 72 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-14847 is a high-severity Improper Handling of Length Parameter Inconsistency (CWE-130) vulnerability in Mongodb Mongodb. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the vulnerability by requiring timely remediation through patching to fixed MongoDB Server versions that correct the mismatched length handling in Zlib headers.

SI-10 Information Input Validation good match

prevent

Requires validation of incoming protocol headers, including length fields in Zlib compressed data, to prevent processing inconsistent parameters that lead to uninitialized heap memory disclosure.

SI-16 Memory Protection partial match

prevent

Implements memory protection mechanisms such as heap isolation or initialization to reduce the risk of uninitialized memory exposure even if length mismatches occur.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2025-14847 is an unauthenticated remote vulnerability in MongoDB Server, a public-facing network service, enabling heap memory disclosure via exploitation of protocol handling flaws.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server…

v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.

Deeper analysisAI

CVE-2025-14847 involves mismatched length fields in Zlib compressed protocol headers within MongoDB Server, potentially allowing an unauthenticated client to read uninitialized heap memory. This vulnerability affects multiple versions across several MongoDB Server branches: all v7.0 prior to 7.0.28, v8.0 prior to 8.0.17, v8.2 prior to 8.2.3, v6.0 prior to 6.0.27, v5.0 prior to 5.0.32, v4.4 prior to 4.4.30, v4.2 versions greater than or equal to 4.2.0, v4.0 versions greater than or equal to 4.0.0, and v3.6 versions greater than or equal to 3.6.0. It is associated with CWE-130 (Improper Handling of Length Parameter Inconsistency) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

An unauthenticated remote attacker can exploit this issue over the network with low attack complexity and no user interaction required. Successful exploitation enables disclosure of uninitialized heap memory contents, providing high-impact confidentiality without affecting integrity or availability.

Advisories indicate mitigation through upgrading to patched releases where available, such as MongoDB Server v7.0.28, v8.0.17, v8.2.3, v6.0.27, v5.0.32, and v4.4.30. References include MongoDB's JIRA ticket SERVER-115508, an OSS-Security mailing list announcement, and third-party resources offering detection and mitigation scripts for heap memory exposure in this context.

Details

CWE(s): CWE-130
KEV Date Added: 29 December 2025

Affected Products

mongodb

3.6.0 — 4.4.30 · 5.0.0 — 5.0.32 · 6.0.0 — 6.0.27

CVEs Like This One

CVE-2026-1848Same product: Mongodb Mongodb

CVE-2026-4358Same product: Mongodb Mongodb

CVE-2026-4148Same product: Mongodb Mongodb

CVE-2026-1849Same product: Mongodb Mongodb

CVE-2026-1847Same product: Mongodb Mongodb

CVE-2026-1850Same product: Mongodb Mongodb

CVE-2026-8201Same product: Mongodb Mongodb

CVE-2025-0755Same product: Mongodb Mongodb

CVE-2026-5367Shared CWE-130

CVE-2026-41035Shared CWE-130

References

https://jira.mongodb.org/browse/SERVER-115508
Issue Tracking, Patch, Vendor Advisory · cna@mongodb.com
http://www.openwall.com/lists/oss-security/2025/12/29/21
Mailing List · af854a3a-2127-422b-91ae-364da2661108
https://www.smartkeyss.com/post/mongobleed-pre-auth-memory-disclosure-via-op_compressed-in-mongodb-cve-2025-14847
Technical Description, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://www.vicarius.io/vsociety/posts/cve-2025-14847-detection-script-heap-memory-exposure-in-mongodb-server
Exploit, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://www.vicarius.io/vsociety/posts/cve-2025-14847-mitigation-script-heap-memory-exposure-in-mongodb-server
Exploit, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-14847
Third Party Advisory, US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0