Skip to main content
A Singapore Government Agency Website How to identify
Official website links end with .gov.sg
Government agencies communicate via .gov.sg websites (e.g. go.gov.sg/open). Trusted websites
Secure websites use HTTPS
Look for a lock () or https:// as an added precaution. Share sensitive information only on official, secure websites.

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
Alerts

High Severity Vulnerability in MongoDB Server

30 December 2025

MongoDB has released security updates addressing a high severity vulnerability (CVE-2025-14847) in their MongoDB Server's zlib implementation.

Background

MongoDB has released security updates addressing a high severity vulnerability (CVE-2025-14847) in their MongoDB Server's zlib implementation.

Impact

Successful exploitation of the vulnerability could allow an unauthenticated attacker to access uninitialised heap memory via compressed network messages without authenticating to the server.

Known Exploitation

This vulnerability is reportedly being exploited in the wild.

Affected Products

The vulnerability affects the following product versions:

  • MongoDB 8.2.0 through 8.2.2

  • MongoDB 8.0.0 through 8.0.16

  • MongoDB 7.0.0 through 7.0.26

  • MongoDB 6.0.0 through 6.0.26

  • MongoDB 5.0.0 through 5.0.31

  • MongoDB 4.4.0 through 4.4.29

  • All MongoDB Server v4.2 versions

  • All MongoDB Server v4.0 versions

  • All MongoDB Server v3.6 versions

Recommendations

Users and administrators of affected product versions are advised to update to the latest versions immediately.

If immediate patching is not feasible, administrators may consider disabling zlib compression on the MongoDB Server by starting "mongod" or "mongos" with a networkMessageCompressors or a net.compression.compressors option that explicitly omits zlib. Examples of safe values include "snappy", "zstd" or "disabled".

References

https://jira.mongodb.org/browse/SERVER-115508

https://nvd.nist.gov/vuln/detail/CVE-2025-14847

https://thehackernews.com/2025/12/new-mongodb-flaw-lets-unauthenticated.html

Back to top