dark
Hand-Picked Top-Read Stories
Trending Tags
2 minute read

New MongoDB Flaw Lets Unauthenticated Attackers Read Uninitialized Memory

info@thehackernews.com (The Hacker News)
December 27, 2025
A high-severity security flaw has been disclosed in MongoDB that could allow unauthenticated users to read uninitialized heap memory. The vulnerability, tracked as CVE-2025-14847 (CVSS score: 8.7), has been described as a case of improper handling of length parameter inconsistency, which arises when a program fails to appropriately tackle scenarios where a length field is inconsistent with the
Total
0
Shares
0
0
0
[[{“value”:”

MongoDB Flaw

A high-severity security flaw has been disclosed in MongoDB that could allow unauthenticated users to read uninitialized heap memory.

The vulnerability, tracked as CVE-2025-14847 (CVSS score: 8.7), has been described as a case of improper handling of length parameter inconsistency, which arises when a program fails to appropriately tackle scenarios where a length field is inconsistent with the actual length of the associated data.

“Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client,” according to a description of the flaw in CVE.org.

Cybersecurity

The flaw impacts the following versions of the database –

  • MongoDB 8.2.0 through 8.2.3
  • MongoDB 8.0.0 through 8.0.16
  • MongoDB 7.0.0 through 7.0.26
  • MongoDB 6.0.0 through 6.0.26
  • MongoDB 5.0.0 through 5.0.31
  • MongoDB 4.4.0 through 4.4.29
  • All MongoDB Server v4.2 versions
  • All MongoDB Server v4.0 versions
  • All MongoDB Server v3.6 versions

The issue has been addressed in MongoDB versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30.

“An client-side exploit of the Server’s zlib implementation can return uninitialized heap memory without authenticating to the server,” MongoDB said. “We strongly recommend upgrading to a fixed version as soon as possible.”

Cybersecurity

If immediate update is not an option, it’s recommended to disable zlib compression on the MongoDB Server by starting mongod or mongos with a networkMessageCompressors or a net.compression.compressors option that explicitly omits zlib. The other compressor options supported by MongoDB are snappy and zstd.

“CVE-2025-14847 allows a remote, unauthenticated attacker to trigger a condition in which the MongoDB server may return uninitialized memory from its heap,” OP Innovate said. “This could result in the disclosure of sensitive in-memory data, including internal state information, pointers, or other data that may assist an attacker in further exploitation.”

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

“}]] The Hacker News 

Total
0
Shares
Share 0
Tweet 0
Share 0
Share 0
Share 0
Previous Post

Pro-Russian hackers claim attack on French postal service operator

December 26, 2025
Next Post

Traditional Security Frameworks Leave Organizations Exposed to AI-Specific Attack Vectors

December 29, 2025
Related Posts
3 min

Critical Node.js Vulnerability Can Cause Server Crashes via async_hooks Stack Overflow

Node.js has released updates to fix what it described as a critical security issue impacting "virtually every production Node.js app" that, if successfully exploited, could trigger a denial-of-service (DoS) condition. "Node.js/V8 makes a best-effort attempt to recover from stack space exhaustion with a catchable error, which frameworks have come to rely on for service availability," Node.js's
info@thehackernews.com (The Hacker News)
January 14, 2026
Read More
3 min

Phantom Stealer Spread by ISO Phishing Emails Hitting Russian Finance Sector

Cybersecurity researchers have disclosed details of an active phishing campaign that's targeting a wide range of sectors in Russia with phishing emails that deliver Phantom Stealer via malicious ISO optical disc images. The activity, codenamed Operation MoneyMount-ISO by Seqrite Labs, has primarily singled out finance and accounting entities, with those in the procurement, legal, payroll
info@thehackernews.com (The Hacker News)
December 15, 2025
Read More
4 min

Silver Fox Expands Winos 4.0 Attacks to Japan and Malaysia via HoldingHands RAT

The threat actors behind a malware family known as Winos 4.0 (aka ValleyRAT) have expanded their targeting footprint from China and Taiwan to target Japan and Malaysia with another remote access trojan (RAT) tracked as HoldingHands RAT (aka Gh0stBins). "The campaign relied on phishing emails with PDFs that contained embedded malicious links," Pei Han Liao, researcher with Fortinet's FortiGuard
info@thehackernews.com (The Hacker News)
October 18, 2025
Read More