CVE-2025-14847 MongoDB CVE debrief

Who should care

MongoDB administrators, database platform owners, cloud service operators, application teams that embed MongoDB, and security teams responsible for vulnerability response and asset remediation.

Technical summary

The official records identify the issue as an improper handling of length parameter inconsistency vulnerability in MongoDB and MongoDB Server. The supplied corpus does not include affected version ranges, exploit mechanics, or remediation specifics, but CISA’s KEV listing indicates known exploitation and directs organizations to apply vendor mitigations or discontinue use if mitigations are unavailable.

Defensive priority

High

Recommended defensive actions

• Identify all MongoDB and MongoDB Server deployments, including managed and embedded uses.
• Check the official CVE and NVD records for any version-specific impact information and vendor-linked guidance.
• Apply mitigations per vendor instructions as referenced by CISA as soon as practical.
• If mitigations are unavailable, follow CISA guidance to discontinue use of the product or service.
• For cloud services, follow applicable BOD 22-01 guidance and coordinate with your service provider.
• Track exposure status until remediation is complete and verify that affected instances are no longer vulnerable.

Evidence notes

This debrief is based only on the supplied official/authoritative records: the CISA KEV entry, the CVE record, and the NVD detail page. The CISA source lists MongoDB as the vendor project, MongoDB and MongoDB Server as the product, date added 2025-12-29, due date 2026-01-19, and required action to apply vendor mitigations or discontinue use if mitigations are unavailable. The corpus does not provide CVSS scoring, affected version ranges, or product-specific remediation steps, so those details are intentionally not inferred.

Official resources