What happened

CISA added CVE-2025-14847 to the Known Exploited Vulnerabilities (KEV) catalog, signaling active exploitation and imposing a federal remediation deadline CISA KEV. The entry lists the product as “MongoDB and MongoDB Server” and describes an improper handling of length parameter inconsistency in Zlib-compressed protocol headers that can permit a read of uninitialized heap memory by an unauthenticated client CISA KEV. NVD tracks the same issue under CVE-2025-14847 with CWE-130 (Improper Handling of Length Parameter Inconsistency) and confirms the uninitialized memory read condition NVD CVE-2025-14847. The MITRE CVE record is published and aligns on the identification details for this vulnerability MITRE CVE-2025-14847.

Per the KEV catalog, the vulnerability was added on 2025-12-29 with a remediation due date of 2026-01-19 for federal agencies, reflecting CISA’s binding operational directive process CISA KEV. CISA’s required action is to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable CISA KEV.

Why it matters

This is a memory disclosure primitive reachable pre-auth, which reduces attacker friction: the flaw allows an unauthenticated client to read uninitialized heap memory from the MongoDB server process when Zlib-compressed protocol headers are malformed or inconsistent NVD CVE-2025-14847. By virtue of its inclusion in KEV, exploitation is occurring in the wild and remediation is urgent for organizations in scope of federal directives and beyond CISA KEV. The class is squarely CWE-130, where mismatched or inconsistent length parameters lead to unsafe memory interaction in protocol handling paths NVD CVE-2025-14847.

CISA’s catalog entry ties this to MongoDB Server and notes it could involve an underlying component or protocol nuance, underscoring potential reuse across product boundaries when similar compressed-header parsing is present CISA KEV. The net effect: a low-interaction, network-reachable disclosure channel on a database service that’s frequently high-value, with exploitation confirmed by its KEV status CISA KEV.

Technical detail

The vulnerability targets MongoDB’s handling of Zlib-compressed protocol headers, where a length parameter inconsistency can cause the server to read from uninitialized heap memory NVD CVE-2025-14847. The specific weakness maps to CWE-130, which captures flaws where size or length fields disagree with actual buffer or payload realities, creating parsing paths that touch memory not safely prepared for consumption NVD CVE-2025-14847. Because the bug is reachable by an unauthenticated client, the attack surface exists prior to any credential checks on the MongoDB wire protocol NVD CVE-2025-14847.

CISA’s KEV entry attributes the issue to “MongoDB and MongoDB Server” and highlights exploitation in the wild by virtue of catalog inclusion, with federal action required under the KEV program timelines (date added 2025-12-29; due date 2026-01-19) CISA KEV. The MITRE record provides canonical CVE metadata and coordinates the identifier across databases and vendors MITRE CVE-2025-14847. The KEV notes also indicate the vulnerable condition could stem from an open-source component, third-party library, protocol detail, or proprietary implementation, a reminder to evaluate similar parsing code across product boundaries when applicable CISA KEV.

Defense

Follow CISA’s required action: apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable CISA KEV. Track the KEV remediation deadline of 2026-01-19 for in-scope environments and prioritize change windows accordingly CISA KEV. Where possible, verify that all MongoDB deployments you operate map cleanly to the vendor’s remediation guidance for this CVE-2025-14847 and confirm consistent state across clustered or replicated roles NVD CVE-2025-14847.

Operationally, treat pre-auth, protocol-level bugs as internet-critical: aggressively minimize unnecessary exposure and ensure only intended clients can reach the database endpoint while you roll out fixes CISA KEV. Maintain an exceptions register for instances that cannot be remediated immediately and align it to the KEV due date with compensating controls approved through risk governance CISA KEV. Continue to monitor the MITRE and NVD records for any updates to references or severity metadata related to this CVE MITRE CVE-2025-14847.

Lyrie Verdict

This is a header-level, pre-auth memory disclosure in a high-value service, and autonomous actors will iterate malformed compressed headers at machine speed to harvest any server memory exposure NVD CVE-2025-14847. Lyrie’s stance: don’t wait for patch cycles—enforce protocol sanity at the edge. Our autonomous detectors model MongoDB request semantics and validate length/header coherence in real time, blocking inconsistent Zlib-compressed sequences that match exploitation patterns while preserving legitimate flows CISA KEV. Tie this into asset intelligence to auto-prioritize MongoDB endpoints and pre-auth surfaces flagged by KEV so response is immediate, not ticket-driven MITRE CVE-2025-14847.