New MongoDB Flaw Lets Unauthenticated Attackers Read Uninitialized Memory

New MongoDB Flaw Lets Unauthenticated Attackers Read Uninitialized Memory
好的，我现在需要帮用户总结这篇文章的内容。用户的要求是用中文，控制在100个字以内，不需要特定的开头，直接写描述即可。首先，我快速浏览文章内容。文章主要讲MongoDB的一个高危安全漏洞，编号CVE-2025-14847，CVSS评分8.7。这个漏洞允许未认证的用户读取未初始化的堆内存。漏洞原因是处理长度参数不一致的问题，特别是在Zlib压缩协议头中存在长度字段不匹配的情况。接下来，文章列出了受影响的MongoDB版本范围，从3.6到8.2.3等多个版本。已经修复的版本包括8.2.3、8.0.17等。建议用户尽快升级到修复版本，并提供了临时解决方案：禁用Zlib压缩，改用Snappy或Zstd。然后，我需要将这些信息浓缩到100字以内。重点包括：漏洞名称、影响范围、风险、修复建议和临时措施。可能的结构是：MongoDB存在高危漏洞（CVE编号），影响多个版本，允许未认证访问读取内存数据。建议升级或禁用Zlib压缩。现在检查字数是否符合要求，并确保信息准确无误。 </think> MongoDB 存在高危漏洞（CVE-2025-14847），影响多个版本，允许未认证用户读取未初始化内存数据。建议升级至修复版本或禁用 Zlib 压缩以缓解风险。 2025-12-27 07:52:0 Author: thehackernews.com(查看原文) 阅读量:6 收藏

Database Security / Vulnerability

A high-severity security flaw has been disclosed in MongoDB that could allow unauthenticated users to read uninitialized heap memory.

The vulnerability, tracked as CVE-2025-14847 (CVSS score: 8.7), has been described as a case of improper handling of length parameter inconsistency, which arises when a program fails to appropriately tackle scenarios where a length field is inconsistent with the actual length of the associated data.

"Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client," according to a description of the flaw in CVE.org.

The flaw impacts the following versions of the database -

MongoDB 8.2.0 through 8.2.3
MongoDB 8.0.0 through 8.0.16
MongoDB 7.0.0 through 7.0.26
MongoDB 6.0.0 through 6.0.26
MongoDB 5.0.0 through 5.0.31
MongoDB 4.4.0 through 4.4.29
All MongoDB Server v4.2 versions
All MongoDB Server v4.0 versions
All MongoDB Server v3.6 versions

The issue has been addressed in MongoDB versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30.

"An client-side exploit of the Server's zlib implementation can return uninitialized heap memory without authenticating to the server," MongoDB said. "We strongly recommend upgrading to a fixed version as soon as possible."

If immediate update is not an option, it's recommended to disable zlib compression on the MongoDB Server by starting mongod or mongos with a networkMessageCompressors or a net.compression.compressors option that explicitly omits zlib. The other compressor options supported by MongoDB are snappy and zstd.

"CVE-2025-14847 allows a remote, unauthenticated attacker to trigger a condition in which the MongoDB server may return uninitialized memory from its heap," OP Innovate said. "This could result in the disclosure of sensitive in-memory data, including internal state information, pointers, or other data that may assist an attacker in further exploitation."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

文章来源: https://thehackernews.com/2025/12/new-mongodb-flaw-lets-unauthenticated.html
如有侵权请联系:admin#unsafe.sh