Skip to content
Percona Software for MongoDB Documentation

Rate this page
Thanks for your feedback
Thank you! The feedback has been submitted.

Get free database assistance or contact our experts for personalized support.

Get help from Percona

Percona Server for MongoDB 8.0.17-6 (2026-01-06)

Install Upgrade from MongoDB Community

Percona Server for MongoDB 8.0.17-6 is an enhanced, source-available, and highly-scalable database that is a fully-compatible, drop-in replacement for MongoDB Community Edition.

Percona Server for MongoDB 8.0.17-6 includes the improvements and bug fixes of MongoDB 8.0.17 Community Edition

Percona Server for MongoDB 8.0.17-6 supports protocols and drivers of MongoDB Community 8.0.17.

Security update: Mitigation of heap memory disclosure vulnerability

This release fixes security vulnerability CVE-2025-14847: CWE-130 in how MongoDB uses zlib compression library. Attackers with network access to mongod or mongos can extract fragments of uninitialized server memory without authentication if zlib compression is enabled. This memory may contain sensitive data, which poses a serious information disclosure risk.

Affected versions

This vulnerability affects the following versions of MongoDB Community Edition and Percona Server for MongoDB:

  • Percona Server for MongoDB 8.0.4-1 through 8.0.16-5
  • Percona Server for MongoDB 7.0.2-1 through 7.0.26-14
  • Percona Server for MongoDB 6.0.2-1 through 6.0.25-20
  • Percona Server for MongoDB 5.0.2-1 through 5.0.29-25
  • Percona Server for MongoDB 4.4.0-1 through 4.4.29-28
  • All Percona Server for MongoDB Server 4.2 versions
  • All Percona Server for MongoDB Server 4.0 versions
  • All Percona Server for MongoDB Server 3.6 versions

The issue is fixed upstream and is included in Percona Server for MongoDB 7.0.28-15 and 8.0.17-6. We strongly recommend upgrading Percona Server for MongoDB to this latest minor version to ensure your deployments remain secure.

Workaround

If upgrading is not possible right away, disable zlib compression by configuring networkMessageCompressors (or net.compression.compressors) in configuration or startup parameters. Safe alternatives are snappy or zstd.

To disable zlib compression, edit the mongod.conf or mongos.conf configuration file and set the net.compression.compressors parameter as follows:

net:
  compression:
    compressors: snappy,zstd

Then restart the mongod or mongos service to apply the changes.

To disable zlib compression, start mongod or mongos with the --networkMessageCompressors parameter as follows:

mongod --networkMessageCompressors snappy,zstd

Or for mongos:

mongos --networkMessageCompressors snappy,zstd

Verify that zlib is disabled using the db.adminCommand({ getCmdLineOpts: 1 }). Ensure logs show no zlib negotiation when you try to connect to the server with a client that explicitly requests zlib.

Upstream Improvements

  • SERVER-115508 - Fixed a critical security vulnerability (CVE-2025-14847) where unauthenticated remote attackers could read uninitialized heap memory via the zlib compression protocol. This was caused by improper handling of length parameter inconsistencies in zlib-compressed protocol headers. The fix ensures the server uses minimally sized buffers for uncompressed messages, preventing sensitive information disclosure.