CVE-2025-14847HIGH 7.5CISA KEVEPSS p99.6%

CVE-2025-14847MongoDB and MongoDB Server Improper Handling of Length Parameter Inconsistency Vulnerability

MongoDB / MongoDB and MongoDB Server

Description

MongoDB Server contains an improper handling of length parameter inconsistency vulnerability in Zlib compressed protocol headers. This vulnerability may allow a read of uninitialized heap memory by an unauthenticated client.

Scoring

CVSS 3.17.5 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS83.01% probability of exploitation · percentile 99.6% · 2026-06-16T12:03:06Z
Published2025-12-19
Last modified2026-01-13

CISA KEV entry

Added to KEV: 2025-12-29

Underlying weaknesses· 1

CWE-130

References

  1. https://jira.mongodb.org/browse/SERVER-115508
  2. http://www.openwall.com/lists/oss-security/2025/12/29/21
  3. https://www.smartkeyss.com/post/mongobleed-pre-auth-memory-disclosure-via-op_compressed-in-mongodb-cve-2025-14847
  4. https://www.vicarius.io/vsociety/posts/cve-2025-14847-detection-script-heap-memory-exposure-in-mongodb-server
  5. https://www.vicarius.io/vsociety/posts/cve-2025-14847-mitigation-script-heap-memory-exposure-in-mongodb-server
  6. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-14847

1

TypeTargetConfidenceTier
WeaknessImproper Handling of Length Parameter Inconsistencycwe-1300%live

(incoming)1

TypeTargetConfidenceTier
KEVEntryMongoDB and MongoDB Server Improper Handling of Length Parameter Inconsistency Vulnerabilitykev-cve-2025-148470%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-9750
CVE
CVE-2026-9740
CVE
CVE-2026-9735
CVE
CVE-2026-8201
CVE
CVE-2026-8053
CVE
MongoDB mongo-express Remote Code Execution Vulnerability
Sourced from NVD + CISA KEV + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.