Number: AL25-021
Date: December 29, 2025
Audience
This Alert is intended for IT professionals and managers.
Purpose
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.
Details
The Cyber Centre is aware of a high-severity vulnerability in MongoDB ServerFootnote 1. In response to the vendor advisory released on December 19, 2025, the Cyber Centre issued AV25-862Footnote 2 on December 24, 2025.
Tracked as CVE-2025-14847Footnote 3, this vulnerability allows an unauthenticated remote attacker to read uninitialized heap memory due to mismatched length fields (CWE-130)Footnote 4 in zlib-compressed protocol headers. The vulnerability occurs prior to authentication and affects multiple supported and legacy MongoDB versions.
The Cyber Centre has observed open-source reporting indicating that multiple Proofs of Concept (PoC) are available and that this vulnerability is being exploited in the wildFootnote 5.
Suggested actions
The Cyber Centre recommends that organizations upgrade affected MongoDB Server(s) to a fixed version:
| Affected product | Affected version | Fixed version |
|---|---|---|
| MongoDB 8.2 | 8.2.0 – 8.2.2 | 8.2.3 |
| MongoDB 8.0 | 8.0.0 – 8.0.16 | 8.0.17 |
| MongoDB 7.0 | 7.0.0 – 7.0.27 | 7.0.28 |
| MongoDB 6.0 | 6.0.0 – 6.0.26 | 6.0.27 |
| MongoDB 5.0 | 5.0.0 – 5.0.31 | 5.0.32 |
| MongoDB 4.4 | 4.4.0 – 4.4.29 | 4.4.30 |
| MongoDB 4.2 | All versions | No vendor fix; upgrade to fixed version |
| MongoDB 4.0 | All versions | No vendor fix; upgrade to fixed version |
| MongoDB 3.6 | All versions | No vendor fix; upgrade to fixed version |
If immediate patching is not possible, reduce exposure by:
- Disabling zlib compression by starting mongod/mongos with networkMessageCompressors or net.compression.compressors options that omit zlib (use snappy or zstd).
- Restricting network access to MongoDB to trusted IPs; avoid direct internet exposure.
As a precaution, it is recommended that organizations review their logs for potential signs of compromise including:
- Monitor MongoDB logs for anomalous pre-authentication connections or unexpected errors.
In addition, the Cyber Centre strongly recommends that organizations review and implement the Cyber Centre’s Top 10 IT Security Actions with an emphasis on the following topicsFootnote 6.
- Patch operating systems and applications
- Harden operating systems and applications
- Isolate web-facing applications
Should activity matching the content of this alert be discovered, recipients are encouraged to report via My Cyber Portal, or email contact@cyber.gc.ca.