Rapid Recovery Security Update for MongoDB (CVE-2025-14847) (4381740)

A high-severity security vulnerability has been identified in the MongoDB component utilized by the Rapid Recovery Core. This flaw, tracked as CVE-2025-14847 (also known as "MongoBleed"), allows unauthenticated remote attackers to read uninitialized heap memory, potentially exposing sensitive data such as credentials or session tokens.

The vulnerability stems from an improper handling of length parameter inconsistencies within the zlib network message decompression logic (message_compressor_zlib.cpp).

When an unauthenticated client sends a malformed, compressed network packet with mismatched length fields, the MongoDB server trusts the header's "uncompressed size" value. The server then returns the full allocated buffer size (output.length()) instead of the actual decompressed data. This results in a buffer over-read, where "dirty" or uninitialized heap memory (RAM) is sent back to the attacker.

We have released patch P-2664, which remediates this vulnerability by upgrading the internal MongoDB instance to version 7.0.28.

This patch is specifically designed for Rapid Recovery 6.10. Customers on older versions must upgrade to 6.10 before applying this patch.

I. Prerequisites

• Core Version: Ensure the Core is running Rapid Recovery 6.10.

II. Installation Procedure

1. Pause Operations: Pause all active snapshots, replication, and export jobs in the Core Console.

2. Stop Core Services: Stop the Rapid Recovery Core service.

3. Verify Process Termination: Open Task Manager and ensure all mongod.exe processes have stopped completely.

4. Download P-2664

5. Deploy Patch: Run the P-2664.msi installer with Administrative privileges.

6. Restart: Start the Rapid Recovery Core service.

III. Verification

Confirm the upgrade was successful using either of the following methods:

Method 1: Windows File Properties (GUI)

1. Navigate to: C:\Program Files\AppRecovery\Core\CoreService\MongoDB

2. Right-click mongod.exe > Properties > Details tab.

3. Confirm Product version is 7.0.28.

   

Method 2: Command Line (CLI)

1. Open Command Prompt (CMD) or PowerShell as Administrator.

2. Run the following command:

   cd "C:\Program Files\AppRecovery\Core\CoreService\MongoDB\mongod.exe"
   mongod.exe --version
   

3. Verify the output displays: db version v7.0.28

   

References

• MongoDB Jira: SERVER-115508 - Make minimally sized buffers for uncompressed Messages

• CVE Record: CVE-2025-14847