Source: Ministry of education information & communication security contingency platform
"" "" ""
| Publication Number | TACERT-ANA-2026010601013333 | Publication Time | 2026/01/06 13:17 |
| Incident Type | ANA-Vulnerability Alert | Discovery Time | 2026/01/06 13:17 |
| Impact Level | Medium | ||
| [Subject] 【Vulnerability Alert】A High-Risk Security Vulnerability Has Been Identified in MongoDB (CVE-2025-14847). Please promptly verify and apply the necessary fixes. |
|||
| [Content] Forwarded from the National Institute of Cyber Security NISAC-200-202601-00000030 Researchers have discovered an Improper Handling of Length Parameter Inconsistency vulnerability (CVE-2025-14847) in MongoDB. An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted zlib-compressed communication packets. When the system processes the decompressed data, it fails to properly validate parameter lengths, which may result in reading uninitialized memory during the document parsing process, leading to the disclosure of sensitive information. This vulnerability has already been exploited by attackers. Please promptly verify and apply the necessary fixes. (Information Sharing Level: WHITE (Information content can be publicly disclosed) |
|||
|
[Affected Platform] MongoDB versions 8.0.0 through 8.0.16 MongoDB versions 7.0.0 through 7.0.26 MongoDB versions 6.0.0 through 6.0.26 MongoDB versions 5.0.0 through 5.0.31 MongoDB versions 4.4.0 through 4.4.29 MongoDB Server all versions of 4.2 MongoDB Server all versions of 4.0 MongoDB Server all versions of 3.6 |
|||
|
[Recommended Actions] Update MongoDB to version 8.0.17 Update MongoDB to version 7.0.28 Update MongoDB to version 6.0.27 Update MongoDB to version 5.0.32 Update MongoDB to version 4.4.30 If immediate updating is not possible, please refer to the official guidance for mitigation. The URL is as follows: https://jira.mongodb.org/browse/SERVER-115508 |
|||
|
[Reference] 2. https://jira.mongodb.org/browse/SERVER-115508 |
|||