Percona Server for MongoDB 6.0.27-21 (2026-01-12)¶
Installation Upgrade from MongoDB Community
Percona Server for MongoDB 6.0.27-21 is an enhanced, source-available, and highly-scalable database that is a fully-compatible, drop-in replacement for MongoDB Community Edition.
It is based on MongoDB 6.0.26 Community Edition and MongoDB 6.0.27 Community Edition.
Percona Server for MongoDB 6.0.27-21 supports protocols and drivers of both MongoDB 6.0.26 and MongoDB 6.0.27.
Release Highlights¶
Security update: Mitigation of heap memory disclosure vulnerability¶
This release fixes security vulnerability CVE-2025-14847: CWE-130 in how MongoDB uses zlib compression library. Attackers with network access to mongod or mongos can extract fragments of uninitialized server memory without authentication if zlib compression is enabled. This memory may contain sensitive data, which poses a serious information disclosure risk.
Affected versions¶
This vulnerability affects the following versions of MongoDB Community Edition and Percona Server for MongoDB:
- Percona Server for MongoDB 8.0.4-1 through 8.0.16-5
- Percona Server for MongoDB 7.0.2-1 through 7.0.26-14
- Percona Server for MongoDB 6.0.2-1 through 6.0.25-20
- Percona Server for MongoDB 5.0.2-1 through 5.0.29-25
- Percona Server for MongoDB 4.4.0-1 through 4.4.29-28
- All Percona Server for MongoDB Server 4.2 versions
- All Percona Server for MongoDB Server 4.0 versions
- All Percona Server for MongoDB Server 3.6 versions
The issue is fixed upstream and is included in Percona Server for MongoDB 6.0.27-21, 7.0.28-15 and 8.0.17-6. We strongly recommend upgrading Percona Server for MongoDB to this latest minor version to ensure your deployments remain secure.
Workaround¶
If upgrading is not possible right away, disable zlib compression by configuring networkMessageCompressors (or net.compression.compressors) in configuration or startup parameters. Safe alternatives are snappy or zstd.
To disable zlib compression, edit the mongod.conf or mongos.conf configuration file and set the net.compression.compressors parameter as follows:
net:
compression:
compressors: snappy,zstd
Then restart the mongod or mongos service to apply the changes.
To disable zlib compression, start mongod or mongos with the --networkMessageCompressors parameter as follows:
mongod --networkMessageCompressors snappy,zstd
Or for mongos:
mongos --networkMessageCompressors snappy,zstd
Verify that zlib is disabled using the db.adminCommand({ getCmdLineOpts: 1 }). Ensure logs show no zlib negotiation when you try to connect to the server with a client that explicitly requests zlib.
Sunsetting Pro Builds¶
In line with our open‑source mission, we are officially sunsetting Pro Builds. All features that were previously included in Pro Builds are now accessible to everyone in our regular public builds.
If you require a Pro Build for a previously released version, your Percona representative is ready to guide you. Our goal is to ensure a smooth transition and continued success with Percona open‑source solutions, enhanced with enterprise‑grade capabilities.
Upstream Improvements¶
The bug fixes, provided by MongoDB Community Edition and included in Percona Server for MongoDB, are the following:
- SERVER-115508 - Fixed a critical security vulnerability (CVE-2025-14847) where unauthenticated remote attackers could read uninitialized heap memory via the zlib compression protocol. This was caused by improper handling of length parameter inconsistencies in zlib-compressed protocol headers. The fix ensures the server uses minimally sized buffers for uncompressed messages, preventing sensitive information disclosure.
- SERVER-109268 - Fixed a critical issue where MongoDB failed to enforce FIPS-compliant cryptography on Linux systems using OpenSSL 3. When tlsFIPSMode was enabled, MongoDB 6.0 and later could still utilize non-FIPS-compliant providers and algorithms (such as CHACHA20-POLY1305) if the OpenSSL “default” provider remained active. The fix ensures that MongoDB correctly restricts cryptographic operations to FIPS-validated modules, preventing unauthorized non-compliant connections.