Latest information about MongoDB Server vulnerability CVE-2025-14847 in VertiGIS Studio products

The following products include MongoDB Server components. Here’s an overview of the impact and recommended actions:

VertiGIS Studio Analytics

Impact: Low
MongoDB in Studio Analytics is restricted to local connections, significantly reducing exposure. Sensitive data such as encrypted credentials and security keys are not stored in MongoDB, and our APIs are designed to operate through localhost. We will upgrade MongoDB in the next release of Studio Analytics (version 1.7).

Update - 01/21/26: Studio Analytics 1.7 has been released with an updated/patched version of MongoDB. It is available for download here.

VertiGIS Studio Search

Impact: Low
MongoDB in Studio Search is not exposed to the internet by default and only accepts local connections. The Search service uses the official MongoDB Java driver, which securely manages communication and prevents raw protocol manipulation.

The vulnerability (MongoBleed) relates to zlib compression in MongoDB’s message handling. While zlib is enabled by default, it can be disabled in the MongoDB configuration.

Additional Recommendation:
Ensure that MongoDB’s default port (27017) is not accessible from outside your network. Firewalls or security groups should restrict access to only necessary ports.

Workaround: Disable zlib Compression

To disable zlib compression on your on-premises Studio Search installation:

1. Access the server running Studio Search via Remote Desktop. 
2. Open the Windows CMD prompt as an administrator and navigate to:
   C:\Program Files\VertiGIS\VertiGIS Studio Search\search\Engine\bin 
3. Run stop.cmd. 
4. Download the mongodb.conf file attached to this article and navigate to the file directory:
   C:\Program Files\VertiGIS\VertiGIS Studio Search\search\Engine\bin\mongodb\bin 
5. Back up your existing mongodb.conf and replace it with the downloaded copy. 
6. Return to the CMD window and run start.cmd. 
7. Verify your Search Indexes in Studio Search Designer.
    

Note: This fix applies only to on-premises installations; SaaS deployments are not affected. We plan to include an updated MongoDB version in a future Studio Search release. In the meantime, the recommended workaround - disabling zlib compression and confirming port restrictions - effectively mitigates any potential risk.