MongoDB
Easy fix7 remedies
cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*
Easy fix7 remedies
- >= 8.2.0, <= 8.2.3
- >= 8.0.0, <= 8.0.16
- >= 7.0.0, <= 7.0.26
- >= 6.0.0, <= 6.0.26
- >= 5.0.0, <= 5.0.31
- >= 4.4.0, <= 4.4.29
- ~4.2
- ~4.0
- ~3.6
Actively Exploited in the Wild
This vulnerability is being actively exploited in the wild.
MongoDB Server Heap Memory Disclosure Vulnerability via Zlib Compression in Protocol Headers
Vulnerability
Exploited
Patched
A vulnerability exists in MongoDB Server in the zlib compressed protocol headers, where mismatched length fields may lead to an unauthorized read of uninitialized heap memory. This issue affects multiple MongoDB Server versions across the 3.6 to 8.2 release series. The vulnerability arises from the server's handling of compressed messages, allowing a client to exploit the protocol and access sensitive memory areas without authentication.
Impact
Exploitation of this vulnerability can result in the unauthorized disclosure of uninitialized heap memory, which may contain sensitive information or lead to further exploitation.
Remediation
Users are advised to upgrade to MongoDB versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30. If an immediate upgrade is not possible, zlib compression can be disabled by starting the MongoDB server with a networkMessageCompressors or net.compression.compressors option that omits zlib, using alternatives like snappy, zstd, or disabling compression altogether.
Added: Dec 19, 2025, 11:18 AM
Updated: Dec 29, 2025, 8:22 PM
Vulnerability Rating
Custom Algorithm
spread
6.8impact
0.6exploitability
8.7remediation
8.3relevance
1.4threat
9.3urgency
2.9incentive
5.8Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.