"MongoBleed" CVE-2025-14847 in many versions of MongoDB

[Alan Coopersmith <alan.coopersmith () oracle com>]

[While current versions of MongoDB are not under an OSI-approved open source
 license, this bug also affects older versions which were - and there seem to
 be a lot of packages distributed under either license from a quick check of
 https://repology.org/project/mongodb/versions - apologies if anyone thinks
 this should be off-topic for oss-security.  -alan-]


https://jira.mongodb.org/browse/SERVER-115508 says:

> SUMMARY
>
> This is a critical fix to address CVE-2025-14847.
> Upgrade to 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30.
>
> ISSUE DESCRIPTION AND IMPACT
>
> An client-side exploit of the Server's zlib implementation can return
> uninitialized heap memory without authenticating to the server.
> We strongly recommend upgrading to a fixed version as soon as possible.
>
> This issue affects MongoDB versions:
>
>     MongoDB 8.2.0 through 8.2.2
>     MongoDB 8.0.0 through 8.0.16
>     MongoDB 7.0.0 through 7.0.26
>     MongoDB 6.0.0 through 6.0.26
>     MongoDB 5.0.0 through 5.0.31
>     MongoDB 4.4.0 through 4.4.29
>     All MongoDB Server v4.2 versions
>     All MongoDB Server v4.0 versions
>     All MongoDB Server v3.6 versions
>
> WORKAROUND
>
> We strongly suggest you upgrade immediately.
>
> If you cannot upgrade immediately, disable zlib compression on the MongoDB
> Server by starting mongod or mongos with a networkMessageCompressors or a
> net.compression.compressors option that explicitly omits zlib.
> Example safe values include snappy,zstd or disabled
>
> REMEDIATION
>
> Upgrade to MongoDB 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30.

More information and a proof-of-concept have been posted to:
https://github.com/joe-desimone/mongobleed