Release Highlights
Security update: Mitigation of heap memory disclosure vulnerability
This release includes the fix for security vulnerability CVE-2025-14847: CWE-130, which is about how MongoDB uses zlib compression library. Attackers with network access to mongod or mongos can extract fragments of uninitialized server memory without authentication if zlib compression is enabled. This memory may contain sensitive data, which poses a serious information disclosure risk.
The issue is resolved upstream and is included in Percona Server for MongoDB 6.0.27-21, 7.0.28-15 and 8.0.17-6. Percona Operator for MongoDB includes these updated Percona Server for MongoDB images.
We strongly recommend upgrading to this latest version of the Operator to ensure your deployments remain secure.
Learn more about the vulnerability in the upstream bug report and in Percona Blog: Urgent Security Update: Patching "Mongobleed" (CVE-2025-14847) in Percona Server for MongoDB.
Supported software
The Operator was developed and tested with the following software:
- Percona Server for MongoDB 6.0.27-21, 7.0.28-15, and 8.0.17-6
- Percona Backup for MongoDB 2.11.0
- PMM Client: 2.44.1-1
- PMM3 Client: 3.5.0
- cert-manager: 1.18.2
- LogCollector based on fluent-bit 4.0.1
Other options may also work but have not been tested.
Supported platforms
Percona Operators are designed for compatibility with all CNCF-certified Kubernetes distributions. Our release process includes targeted testing and validation on major cloud provider platforms and OpenShift, as detailed below:
- Google Kubernetes Engine (GKE) 1.31 - 1.33
- Amazon Elastic Kubernetes Service (EKS) 1.31 - 1.34
- Azure Kubernetes Service (AKS) 1.31 - 1.33
- OpenShift Container Platform 4.16 - 4.19
- Minikube 1.37.0 based on Kubernetes v1.34.0
This list only includes the platforms that the Percona Operators are specifically tested on as part of the release process. Other Kubernetes flavors and versions depend on the backward compatibility offered by Kubernetes itself.