## https://sploitus.com/exploit?id=86F2BDB6-EA0C-590C-8322-5C875BE54586
# CVE-2025-14847-mongobleed
CVE-2025-14847 mongobleed python file
# CVE-2025-14847
CVE-2025-14847
> https://jira.mongodb.org/browse/SERVER-115508
>
> **SUMMARY**
>
> This is a critical fix to address [CVE-2025-14847](https://vulners.com/cve/CVE-2025-14847). Upgrade to 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30.
>
> **ISSUE DESCRIPTION AND IMPACT**
>
> An client-side exploit of the Server's zlib implementation can return uninitialized heap memory without authenticating to the server. We strongly recommend upgrading to a fixed version as soon as possible.
>
> This issue affects MongoDB versions:
>
> - MongoDB 8.2.0 through 8.2.3
> - MongoDB 8.0.0 through 8.0.16
> - MongoDB 7.0.0 through 7.0.26
> - MongoDB 6.0.0 through 6.0.26
> - MongoDB 5.0.0 through 5.0.31
> - MongoDB 4.4.0 through 4.4.29
> - All MongoDB Server v4.2 versions
> - All MongoDB Server v4.0 versions
> - All MongoDB Server v3.6 versions
>
> **WORKAROUND**
>
> We strongly suggest you upgrade immediately.
>
> If you cannot upgrade immediately, disable zlib compression on the MongoDB Server by starting `mongod` or `mongos` with a [`networkMessageCompressors`](https://www.mongodb.com/docs/manual/reference/program/mongod/#std-option-mongod.--networkMessageCompressors) or a [`net.compression.compressors`](https://www.mongodb.com/docs/manual/reference/configuration-options/#mongodb-setting-net.compression.compressors) option that explicitly omits `zlib`. Example safe values include `snappy,zstd` or `disabled`
>
> **REMEDIATION**
>
> Upgrade to MongoDB 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30.
- https://jira.mongodb.org/browse/SERVER-115508
- https://github.com/mongodb/mongo/commit/1264f9be5165abb0981f8023d2495652ab916699#diff-fd797e63d8e20a16cf0adcb6b5542f2124de9bf6f3afa913ba8d09d3022b11ac
- https://github.com/mongodb/mongo/blob/1264f9be5165abb0981f8023d2495652ab916699/src/mongo/transport/message_compressor_manager_test.cpp
注意:
该仓库内容包含AI生成。