CVE-2025-14847 vulnerability Mongo Database

Started by PencilHCV, December 29, 2025, 10:22:04 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 29, 2025, 10:22:04 PM
hi!
Is Mongo Database vulnerable to CVE-2025-14847?

best regards,
Hugo C.V.
January 02, 2026, 11:41:27 AM #1
Hi Hugo,

Zenarmor has stopped to support MongoDB. Please switch it to Elasticsearch or SQLite DB.


January 03, 2026, 02:35:09 PM #2
Thanks for your suggestion. But still no one has been able to answer my question. Or is it not important if mongo database is vulnerable to inform all of us users, when this is a security product?

best regards,
Hugo
January 03, 2026, 03:28:39 PM #3
As @sy wrote MongoDB is unsupported by ZA now and you should remove it from your security product. Which also solves the issue.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 03, 2026, 05:29:34 PM #4
Hi Patrick!
That's not what I want, I know what to do with Mongo Database on Zenarmor in OPNSense. What I want to bring up is whether Zenarmor or OPNSense have informed us users old and new that if you still use Mongo Database in Zenarmor to switch to SQL-Lite or Elasticsearch. But this is speculation because still NO ONE has answered whether Mongo Database used in Zenarmor is vulnerable to CVE-2025-14847. Which was my question from the beginning.
Not to offend you, but you sound more like politicians who avoid touching on the core question here and answer with something else.

best regards,
Hugo
January 03, 2026, 05:45:01 PM #5
In their release notes for version 2.1 dated October 07, 2025 they stated:

QuoteThe Elasticsearch version 5 and MongoDB databases are no longer available for new Zenarmor installations.

I don't know if that is sufficient for you. I agree they could be way more explicit sending out a warning message or even displaying one in the UI. Of course MongoDB in your particular version will most probably be subject to the cited CVE. Of course - how can it not be?

But it is your responsibility as the administrator to assess if your particular installation is affected by that vulnerability.

If e.g. MongoDB as installed with Zenarmor is only reachable via 127.0.0.1 you are not affected. That CVE describes a remotely exploitable data leak - which implies that your MongoDB can be contacted remotely. If it cannot, you are safe, even if it is vulnerable.

Nobody will be doing that job for you (although I just did in this particular case).

- read CVE
- understand CVE
- check if it is applicable to your particular situation
- act if necessary

Your job as an admin for any software you run. No open source product will give you an "make secure always" button.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 03, 2026, 10:37:45 PM #6
Hi Patrick,

Thank you for your response and for clarifying the situation.

I appreciate your insights about CVE-2025-14847, but I still feel that there should have been a clearer communication to users, especially given that MongoDB has been deprecated in Zenarmor. I understand it's my responsibility as an administrator to check for vulnerabilities, but it would be more helpful if there was an explicit warning or guidance from the Zenarmor team about how MongoDB users should handle these situations.

While I agree with your point that if MongoDB is not exposed remotely, the vulnerability may not apply, it's still concerning that users are left in the dark unless they are actively looking for this kind of information.

Once again, thanks for your input. I just think there's room for improvement in the way security updates and vulnerabilities are communicated to the user base.

Best regards,
Hugo
Print
Go Up Pages1
User actions