CVE-2025-14847 Patch for Percona MongoDB release

Samuel_Vieira · December 26, 2025, 6:20pm

Hello everyone,

CVE-2025-14847 was just dropped out there for MongoDB during Christmas and it can be dangerous. According to Mongo, it was fixed on version 7.0.28https://www.mongodb.com/docs/manual/release-notes/7.0/#7.0.28—dec-19–2025.

However, there is no percona release higher than 7.0.26-14. Are you aware of it? Is there anything going on to issue a new release?

CVE details can be found here: https://www.cve.org/CVERecord?id=CVE-2025-14847

This is a PoC of how that can be exploited: mongobleed/README.md at main · joe-desimone/mongobleed · GitHub

Vinodh_Krishnaswamy · December 27, 2025, 8:49am

Hi @Samuel_Vieira ,

Welcome to the community!

Yes, we are aware. Our engineering team is treating this as a top priority and the fix is planned with psmdb v7.0.28-15 & v8.0.17-6 releases. You can expect the release in the near future.

Merry Xmas and Happy New Year!

Regards,

Vinodh Guruji

Samuel_Vieira · December 29, 2025, 7:38am

Hi @Vinodh_Krishnaswamy ,

Thank you for letting us know about the progress.

Happy New Year!

Best regards,
Samuel

sujithtee · December 29, 2025, 12:34pm

Are you guys planning to release for 6.0.X and older versions as well? I see mongodb released 6.0.27 for the vulnerability fix even after the end of life.

Jannas · December 30, 2025, 8:55am

Hi there - any ETA for this release? Or will it only be in the new year? For now we planning to disable the zlib compression as a safety measure until the update is available.

Vinodh_Krishnaswamy · December 30, 2025, 10:08am

Hi @Jannas ,

Yes, it will be available in January. As you said, disabling the zlib compression until then to avoid any security vulnerability is recommended. i.e explicitly start mongod without zlib compression option.

net:
  compression:
    compressors: snappy,zstd

with command prompt:

mongos --setParameter networkMessageCompressors=snappy,zstd

After that, to confirm zlib is disabled, use the command below to verify:

db.adminCommand({ getCmdLineOpts: 1 }).parsed.net.compression

Regards,

Vinodh Guruji

Jannas · December 30, 2025, 12:40pm

Thanks for the update, we will go with that route then. On our side the command :

db.adminCommand({ getCmdLineOpts: 1 }).parsed.net.compression

does not return anything, but we could check it by doing:

db.serverStatus().network.compression

Regards

Janneman Nortje

radoslaw.szulgo · January 5, 2026, 8:41pm

Yes, 6.0 patch will be available next week around January, 12, 2026.

Samuel_Vieira · January 7, 2026, 7:39am

Hello everyone, in case you didn’t see:

The 7.0.28-15 release is out there Percona Server for MongoDB 7.0.28-15 (2026-01-06) - Percona Server for MongoDB 7.0

radoslaw.szulgo · January 7, 2026, 9:52am

Correct. And also a fix for 8.0. See: https://www.percona.com/blog/urgent-security-update-patching-mongobleed-cve-2025-14847-in-percona-server-for-mongodb/

radoslaw.szulgo · January 12, 2026, 1:29pm

Fix for 6.0 is released: 6.0.27-21 with a fix for mongobleed was published: Percona Server for MongoDB 6.0.27-21 (2026-01-12) - Percona Server for MongoDB 6.0

Topic		Replies	Views
CVE-2025-14847 (MongoBleed) - Request for Percona 4.4.30 Security Patch Percona Operator for MongoDB percona , mongodb , new-release	4	220	January 6, 2026
Security Fix Releases for Percona Server for MongoDB & Percona Distribution for MongoDB Software New Releases	0	670	October 9, 2020
MongoBleed Impact and Mitigation: How to Protect Your MongoDB Servers MongoDB percona	1	156	December 31, 2025
MongoBleed Impact and Mitigation: How to Protect Your MongoDB Servers Percona Server for MongoDB percona	1	121	December 31, 2025
Percona Server for MongoDB 5.0.7-6 Released Software New Releases new-release	0	477	April 27, 2022

CVE-2025-14847 Patch for Percona MongoDB release

Related topics