【資安漏洞預警】MongoDB存在高風險安全漏洞(CVE-2025-14847)，請儘速確認並進行修補

【行政公告】

公告單位	圖資處數位服務組
訊息類別	行政公告行政公告	公告對象	全體
公告主題	【資安漏洞預警】MongoDB存在高風險安全漏洞(CVE-2025-14847)，請儘速確認並進行修補 [Security Vulnerability Alert] MongoDB has a high-risk security vulnerability (CVE-2025-14847). Please confirm and patch it as soon as possible.
公告內容	轉發國家資安資訊分享與分析中心資安訊息警訊 NISAC-200-202601-00000030 [內容說明] 研究人員發現MongoDB存在不當處理長度不一致參數(Improper Handling of Length Parameter Inconsistency)漏洞(CVE-2025-14847)。未經身分鑑別之遠端攻擊者可透過傳送特製之zlib壓縮通訊封包，觸發系統於處理解壓縮資料時，未適當驗證參數長度之問題，進而於解析文件流程讀取未初始化之記憶體內容，造成敏感資訊洩漏。該漏洞已遭駭客利用，請儘速確認並進行修補。 [影響平台] MongoDB 8.2.0至8.2.2版本 MongoDB 8.0.0至8.0.16版本 MongoDB 7.0.0至7.0.26版本 MongoDB 6.0.0至6.0.26版本 MongoDB 5.0.0至5.0.31版本 MongoDB 4.4.0至4.4.29版本 MongoDB Server 4.2所有版本 MongoDB Server 4.0所有版本 MongoDB Server 3.6所有版本 [建議措施] 更新MongoDB至8.2.3版本更新MongoDB至8.0.17版本更新MongoDB至7.0.28版本更新MongoDB至6.0.27版本更新MongoDB至5.0.32版本更新MongoDB至4.4.30版本若無法立即更新，請參考官方說明進行處哩，網址如下： https://jira.mongodb.org/browse/SERVER-115508 [參考資料] 1. https://nvd.nist.gov/vuln/detail/CVE-2025-14847 2. https://jira.mongodb.org/browse/SERVER-115508 Forwarded from National Cybersecurity Information Sharing and Analysis Center: Cybersecurity Alert NISAC-200-202601-00000030 [Content Description] Researchers have discovered a vulnerability in MongoDB called Improper Handling of Length Parameter Inconsistency (CVE-2025-14847). An unauthenticated remote attacker could send specially crafted zlib compressed communication packets, triggering the system's failure to properly verify parameter lengths during data decompression. This would allow the attacker to read uninitialized memory content during file parsing, leading to the leakage of sensitive information. This vulnerability has already been exploited by hackers; please confirm and patch it as soon as possible. [Affected Platforms] MongoDB versions 8.2.0 to 8.2.2 MongoDB versions 8.0.0 to 8.0.16 MongoDB versions 7.0.0 to 7.0.26 MongoDB versions 6.0.0 to 6.0.26 MongoDB versions 5.0.0 to 5.0.31 MongoDB versions 4.4.0 to 4.4.29 All versions of MongoDB Server 4.2 All versions of MongoDB Server 4.0 All versions of MongoDB Server 3.6 [Recommended Actions] Update MongoDB to version 8.2.3 Update MongoDB to version 8.0.17 Update MongoDB to version 7.0.28 Update MongoDB to version 6.0.27 Update MongoDB to version 5.0.32 Update MongoDB to version 4.4.30. If you cannot update immediately, please refer to the official instructions at the following URL: https://jira.mongodb.org/browse/SERVER-115508 [References] 1. https://nvd.nist.gov/vuln/detail/CVE-2025-14847 2. https://jira.mongodb.org/browse/SERVER-115508
相關訊息	參考資料1 參考資料2
公告時間	2026/1/6 至 2026/7/6	點閱次數	122