MongoDB: Critical Security Vulnerability in NoSQL Database
MongoDB warns of a critical security vulnerability affecting recent versions. Admins should patch immediately.
(Image: Sashkin/Shutterstock.com)
The security team of the NoSQL database software MongoDB documented a critical security vulnerability on Friday: "A client-side exploit of the server's zlib implementation can return uninitialized heap memory without requiring authentication to the server. We strongly recommend updating to a corrected version as soon as possible."
Attackers can exploit a bug in the zlib compression software to access uninitialized dynamic memory (heap memory), which may still contain old data such as passwords, keys, or other sensitive information. An attacker would not need database credentials for this. User interaction is not necessary for this, according to BleepingComputer.
The vulnerability affects the following MongoBB server versions:
MongoDB 8.2.0 to 8.2.3
MongoDB 8.0.0 to 8.0.16
MongoDB 7.0.0 to 7.0.26
MongoDB 6.0.0 to 6.0.26
MongoDB 5.0.0 to 5.0.31
MongoDB 4.4.0 to 4.4.29
As well as all
MongoDB Server v4.2 versions
MongoDB Server v4.0 versions
MongoDB Server v3.6 versions
These should be upgraded to MongoDB 8.2.3, 8.017, 7.0.28, 6.0.27, 5.0.32, or 4.4.30 respectively.
The security vulnerability, published under CVE-2025-14847, is considered critical and has a CVSS score of 8.7.
Those who cannot upgrade immediately to one of the patched versions should disable zlib compression on the MongoDB server. According to the MongoDB warning, this can be done "by starting mongod or mongos with a networkMessageCompressors or net.compression.compressors option that explicitly excludes zlib."
Videos by heise
MongoDB is used by more than 62,000 customers worldwide. The database management system stores data in BSON (Binary JSON) documents, unlike traditional relational SQL databases like MySQL or PostgreSQL, which store data in tables.
(kst)
