[While current versions of MongoDB are not under an OSI-approved open source
license, this bug also affects older versions which were - and there seem to
be a lot of packages distributed under either license from a quick check of
https://repology.org/project/mongodb/versions - apologies if anyone thinks
this should be off-topic for oss-security. -alan-]
https://jira.mongodb.org/browse/SERVER-115508 says:
SUMMARY
This is a critical fix to address CVE-2025-14847.
Upgrade to 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30.
ISSUE DESCRIPTION AND IMPACT
An client-side exploit of the Server's zlib implementation can return
uninitialized heap memory without authenticating to the server.
We strongly recommend upgrading to a fixed version as soon as possible.
This issue affects MongoDB versions:
MongoDB 8.2.0 through 8.2.2
MongoDB 8.0.0 through 8.0.16
MongoDB 7.0.0 through 7.0.26
MongoDB 6.0.0 through 6.0.26
MongoDB 5.0.0 through 5.0.31
MongoDB 4.4.0 through 4.4.29
All MongoDB Server v4.2 versions
All MongoDB Server v4.0 versions
All MongoDB Server v3.6 versions
WORKAROUND
We strongly suggest you upgrade immediately.
If you cannot upgrade immediately, disable zlib compression on the MongoDB
Server by starting mongod or mongos with a networkMessageCompressors or a
net.compression.compressors option that explicitly omits zlib.
Example safe values include snappy,zstd or disabled
REMEDIATION
Upgrade to MongoDB 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30.
More information and a proof-of-concept have been posted to:
https://github.com/joe-desimone/mongobleed
