Percona Server for MongoDB 7.0.28-15 (2026-01-06)¶
Installation Upgrade from MongoDB Community
Percona Server for MongoDB 7.0.28-15 is an enhanced, source-available, and highly-scalable database that is a fully-compatible, drop-in replacement for MongoDB Community Edition.
Percona Server for MongoDB 7.0.28-15 includes the improvements and bug fixes of MongoDB 7.0.27 Community Edition and MongoDB 7.0.28 Community Edition. It supports protocols and drivers of both MongoDB Community 7.0.27 and MongoDB Community 7.0.28.
Release Highlights¶
Security update: Mitigation of heap memory disclosure vulnerability¶
This release fixes security vulnerability CVE-2025-14847: CWE-130 in how MongoDB uses zlib compression library. Attackers with network access to mongod or mongos can extract fragments of uninitialized server memory without authentication if zlib compression is enabled. This memory may contain sensitive data, which poses a serious information disclosure risk.
Affected versions¶
This vulnerability affects the following versions of MongoDB Community Edition and Percona Server for MongoDB:
- Percona Server for MongoDB 8.0.4-1 through 8.0.16-5
- Percona Server for MongoDB 7.0.2-1 through 7.0.26-14
- Percona Server for MongoDB 6.0.2-1 through 6.0.25-20
- Percona Server for MongoDB 5.0.2-1 through 5.0.29-25
- Percona Server for MongoDB 4.4.0-1 through 4.4.29-28
- All Percona Server for MongoDB Server 4.2 versions
- All Percona Server for MongoDB Server 4.0 versions
- All Percona Server for MongoDB Server 3.6 versions
The issue is fixed upstream and is included in Percona Server for MongoDB 7.0.28-15 and 8.0.17-6. We strongly recommend upgrading Percona Server for MongoDB to this latest minor version to ensure your deployments remain secure.
Workaround¶
If upgrading is not possible right away, disable zlib compression by configuring networkMessageCompressors (or net.compression.compressors) in configuration or startup parameters. Safe alternatives are snappy or zstd.
To disable zlib compression, edit the mongod.conf or mongos.conf configuration file and set the net.compression.compressors parameter as follows:
net:
compression:
compressors: snappy,zstd
Then restart the mongod or mongos service to apply the changes.
To disable zlib compression, start mongod or mongos with the --networkMessageCompressors parameter as follows:
mongod --networkMessageCompressors snappy,zstd
Or for mongos:
mongos --networkMessageCompressors snappy,zstd
Verify that zlib is disabled using the db.adminCommand({ getCmdLineOpts: 1 }). Ensure logs show no zlib negotiation when you try to connect to the server with a client that explicitly requests zlib.
Upstream Improvements¶
The bug fixes, provided by MongoDB Community and included in Percona Server for MongoDB, are the following:
- SERVER-115508 - Fixed a critical security vulnerability (CVE-2025-14847) where unauthenticated remote attackers could read uninitialized heap memory via the zlib compression protocol. This was caused by improper handling of length parameter inconsistencies in zlib-compressed protocol headers. The fix ensures the server uses minimally sized buffers for uncompressed messages, preventing sensitive information disclosure.
- SERVER-55068 - Fixed a bug where the renameCollection command could fail if the target collection was being created or dropped concurrently. The fix improves the synchronization between concurrent DDL operations, ensuring that the rename process correctly handles or waits for the target collection’s state to stabilize.
- SERVER-82688 - Fixed a bug where the mongod process could crash if the number of incoming connections exceeded WiredTiger’s configured session_max limit.
- SERVER-94315 - Fixed the issue with shard filtering on a collection with non-simple default collation that is sharded on a field where the backing index has a simple collation. Shard filtering is now applied for non-simple collation find on sharded collections
Find the full list of changes in the release notes for: