The vulnerability CVE-2025-14847 (CVSS 7.5 HIGH) is an information disclosure flaw in MongoDB where improper handling of length parameters in zlib-compressed network messages prior to authentication allows an unauthenticated remote attacker to trigger an oversized memory buffer allocation, exposing sensitive information. Affected versions include MongoDB 3.6.0 through 4.4.29, 5.0.0 through 5.0.31, 6.0.0 through 6.0.26, 7.0.0 through 7.0.27, and 8.0.0 through 8.0.16. The fix requires upgrading to MongoDB version 4.4.30, 5.0.32, 6.0.27, 7.0.28, 8.0.17, or 8.2.3.
Ubuntu Security Notices USN-8160-1 USN-8160-1: MongoDB vulnerability Publication date 9 April 2026 Overview MongoDB could be made to expose sensitive information over the network. Releases 20.04 LTS 18.04 LTS Open side navigation Close side navigation Packages Details Update instructions References Packages mongodb - object/document-oriented database Details It was discovered that MongoDB incorrectly handled length parameters in zlib-compressed network messages prior to authentication. An unauthenticated remote attacker could possibly use this issue to cause MongoDB to allocate an oversized memory buffer, resulting in the exposure of sensitive information. It was discovered that MongoDB incorrectly handled length parameters in zlib-compressed network messages prior to authentication. An unauthenticated remote attacker could possibly use this issue to cause MongoDB to allocate an oversized memory buffer, resulting in the exposure of sensitive information. Update instructions After a standard system update you need to restart the mongodb service to make all the necessary changes. Learn more about how to get the fixes. The problem can be corrected by updating your system to the following package versions: Ubuntu Release Package Version 20.04 LTS focal mongodb – 1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.3+esm1 Ubuntu Pro Fix available with Ubuntu Pro via ESM Apps. A community fix might become publicly available in the future. mongodb-clients – 1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.3+esm1 Ubuntu Pro Fix available with Ubuntu Pro via ESM Apps. A community fix might become publicly available in the future. mongodb-server – 1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.3+esm1 Ubuntu Pro Fix available with Ubuntu Pro via ESM Apps. A community fix might become publicly available in the future. mongodb-server-core – 1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.3+esm1 Ubuntu Pro Fix available with Ubuntu Pro via ESM Apps. A community fix might become publicly available in the future. 18.04 LTS bionic mongodb – 1:3.6.3-0ubuntu1.4+esm2 Ubuntu Pro Fix available with Ubuntu Pro via ESM Apps. A community fix might become publicly available in the future. mongodb-clients – 1:3.6.3-0ubuntu1.4+esm2 Ubuntu Pro Fix available with Ubuntu Pro via ESM Apps. A community fix might become publicly available in the future. mongodb-server – 1:3.6.3-0ubuntu1.4+esm2 Ubuntu Pro Fix available with Ubuntu Pro via ESM Apps. A community fix might become publicly available in the future. mongodb-server-core – 1:3.6.3-0ubuntu1.4+esm2 Ubuntu Pro Fix available with Ubuntu Pro via ESM Apps. A community fix might become publicly available in the future. Reduce your security exposure Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines. Get Ubuntu Pro References CVE-2025-14847 CVE-2025-14847