VDB

CVE-2025-14847

CVE-2025-14847 PUBLISHED KEV

Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.

EPSS 56.93% · 98.2th percentile

Risk Scores

EPSS Score
56.93%
98.2th percentile

Affected Products

VendorProductVersions
Bitnamimongodb4.4.0, 5.0.0, 6.0.0
Bitnamimongodb4.4.0, 5.0.0, 6.0.0

Timeline

  • Dec 19, 2025 EPSS Score
  • Dec 19, 2025 CVE Published
  • Dec 29, 2025 CISA KEV Added
  • Dec 29, 2025 PoC Published
  • Dec 30, 2025 EPSS Score
  • Dec 31, 2025 EPSS Score
  • Jan 1, 2026 EPSS Score
  • Jan 4, 2026 EPSS Score
  • Jan 9, 2026 EPSS Score
  • Jan 13, 2026 EPSS Score
  • Jan 14, 2026 EPSS Score
  • Jan 18, 2026 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›