Forwarded from National Cybersecurity Information Sharing and Analysis Center: Cybersecurity Alert NISAC-200-202601-00000030

[Content Description]
Researchers have discovered a vulnerability in MongoDB called Improper Handling of Length Parameter Inconsistency (CVE-2025-14847).
An unauthenticated remote attacker could send specially crafted zlib compressed communication packets, triggering the system's failure to properly verify parameter lengths during data decompression. This would allow the attacker to read uninitialized memory content during file parsing, leading to the leakage of sensitive information. This vulnerability has already been exploited by hackers; please confirm and patch it as soon as possible.

[Affected Platforms]
MongoDB versions 8.2.0 to 8.2.2
MongoDB versions 8.0.0 to 8.0.16
MongoDB versions 7.0.0 to 7.0.26
MongoDB versions 6.0.0 to 6.0.26
MongoDB versions 5.0.0 to 5.0.31
MongoDB versions 4.4.0 to 4.4.29
All versions of MongoDB Server 4.2
All versions of MongoDB Server 4.0
All versions of MongoDB Server 3.6

[Recommended Actions]
Update MongoDB to version 8.2.3
Update MongoDB to version 8.0.17
Update MongoDB to version 7.0.28
Update MongoDB to version 6.0.27
Update MongoDB to version 5.0.32 Update MongoDB to version 4.4.30.

If you cannot update immediately, please refer to the official instructions at the following URL: https://jira.mongodb.org/browse/SERVER-115508

[References]
1. https://nvd.nist.gov/vuln/detail/CVE-2025-14847
2. https://jira.mongodb.org/browse/SERVER-115508