/
MongoDB CVE-2025-14847

MongoDB CVE-2025-14847

Backgound

The vulnerability (CVE-2025-14847) in MongoDB’s zlib implementation allows unauthenticated remote exploitation, enabling extraction of sensitive data from MongoDB server memory without login credentials.

Products affected:

The affected versions are opHA MB (Message Bus) are as follows:

- opHA MB 5.0.1

- opHA MB 5.1.0

- opHA MB 5.1.1

- opHA MB 5.1.2

- opHA MB 5.1.3

- opHA MB with replication

MongoDB Patching

To mitigate the "MongoBleed" vulnerability (CVE-2025-14847), it is recommended to immediately Patch MongoDB to remediate the CVE or, as a temporary workaround

 

Immediate Mitigation Steps

Patch MongoDB: Apply the relevant patch for your version as soon as possible:

- 8.2.x: Upgrade to 8.2.3 or newer

- 8.0.x: Upgrade to 8.0.17 or newer

- 7.0.x: Upgrade to 7.0.28 or newer

- 6.0.x: Upgrade to 6.0.27 or newer

- 5.0.x: Upgrade to 5.0.32 or newer

- 4.4.x: Upgrade to 4.4.30 or newer

 

Note: Versions 4.2, 4.0, and 3.6 are no longer supported and do not have a patch; upgrading to a supported version is mandatory

MongoDB patched binary can be downloaded from https://www.mongodb.com/try/download/community-edition/releases

If immediate upgrade is not possible, a Temporary Workarounds can be applied.

 

Temporary Workarounds

If the MongoDB servers is Internet accessible, then you can restrict the MongoDB access.

To mitigate the risk a workarounds is available: 

  • Restrict Network Access:

    • Ensure your MongoDB database ports (default 27017) are not exposed to the public internet.

    • Use firewalls, security groups, or Kubernetes NetworkPolicies to limit connectivity to only trusted, internal IPs and application servers.

    • The vulnerability is "pre-auth," meaning an attacker can exploit it before authentication, so network isolation is a critical defense.

  • Disable zlib Compression:

    • The vulnerability lies in how MongoDB handles zlib compression. Disabling it mitigates the risk.

    • Start mongod or mongos with the networkMessageCompressors or net.compression.compressors option, explicitly omitting zlib and using alternatives like snappy or zstd.

      head /etc/mongod.conf net: compression: compressors: zstd,snappy

If MongoDB is restricted to localhost, this does not apply.

MongoDB's configuration is in /etc/mongod.conf. To check if remote access is enabled, look for the value assigned to ‘bindIp’ under the ‘net’ section.
If this value is localhost or 127.0.0.1, MongoDB is bound to localhost and poses no immediate concern.

net: port: 27017 bindIp: 127.0.0.1

However if bindIp is anything OTHER than localhost or 127.0.0.1, the MongoDB server needs to be patched

net: port: 27017 bindIp: 0.0.0.0

 

Note that NMIS8 and NMIS9 are not affected because MongoDB binds to localhost by default. Verify this by checking bindIp in /etc/mongod.conf as described above.