H+H Software GmbH

The HAN knowledge base

The HAN knowledge base helps you with smaller problems.

Jan 20, 2026

HAN.V5

MongoBleed security vulnerability (CVE-2025-14847) in HAN 5

Although the database used in HAN 5 is affected by the CVE-2025-14847 security vulnerability, the HAN system is not at risk.

HAN 5 uses MongoDB version 3.4, which is officially marked as EOL (end of life). This means that no security fixes are provided for this version by the manufacturer MongoDB.

Supplement: 15.01.2026:

Further research has revealed that the affected ZLIB library was only introduced in Mongo DB version 3.6. You can find more details on this on the following page: Optimize MongoDB Storage: Compression, Indexing, and TTL Best Practices

However, the MongoDB configuration used in HAN ensures that the security vulnerability described in the CVE cannot be exploited. Since HAN 5.1, the database has been configuered by default so that it can only be accessed on the server itself. Technically, this means that the database is only bound to the IP address 127.0.0.1 (localhost) and therefore cannot be accessed externally. However, the security vulnerability described in the CVE can only be exploited via IP communication directly with the database.

The architecture in HAN 5 ensures that all communication from the HAN components to the HAN server takes place via an additional secure HTTPS channel. The additional security methods ensure that only the HAN components can communicate with the database via the HTTPS channel.

In addition, you have the option of deactivating the critical compression algorithm in the database settings themselves.

To do this, open the HAN system settings on the HAN server and select the ‘DB configuration’ option. Click on the button with the three dots in the ‘Configuration’ column:

In the configuration file, please add the following entries in red to the ‘net’ section:

### config net
net:
 port: 27017 # database port to use (default: 27017) - this key is changed with port settings in HH-Systemsettings!
 ipv6: false
 bindIp: localhost
 compression:
  compressors: snappy

Note: This is a ‘YAML’ file format. This means that the entry ‘compression:’ must be indented by exactly one character, and the entry ‘compressors: snappy’ must be indented by exactly two characters! Tabs or a different number of indentations can cause the database to fail to start.

Then save the change and restart the database via HAN system settings to implement the change.

#3868Markus Libiseller
Contact

Do you have any questions about HAN or would you like individual advice? Please feel free to contact our experienced team.

Contact person
Information material

Would you like further information?
We would be very pleased if we could help you further.

Request
Newsletter subscription
Published 3 to 4 times a year. Stay informed.