MongoDB Server Uninitialized Heap Memory Disclosure (MongoBleed) | Active Exploitation
CVE-2025-14847 (MongoBleed) is an unauthenticated information disclosure vulnerability in MongoDB Server’s handling of zlib-compressed network messages. By sending specially crafted packets, an attacker can trigger MongoDB to return uninitialized heap memory to the client. Because the vulnerable path is reachable prior to authentication, internet-exposed MongoDB servers are at elevated risk.
This vulnerability is being actively exploited and has been added to CISA’s Known Exploited Vulnerabilities catalog. CISA lists a Date Added of December 29, 2025, with a federal remediation due date of January 19, 2026.
Technical details
- Vulnerability class: Read of uninitialized heap memory caused by incorrect handling of length fields in zlib-compressed MongoDB wire protocol messages.
- Exploitation mechanics: The affected code path can return the allocated output buffer length instead of the actual decompressed data length. This results in disclosure of adjacent heap memory to an unauthenticated client. The issue resides in MongoDB’s zlib message decompression logic.
- Impact: Leaked memory fragments may contain sensitive in-memory data such as credentials, API keys, session tokens, internal state, logs, or other secrets present in the MongoDB process at the time of exploitation.
Severity (as published by MongoDB, Inc., the CNA for this CVE):
- CVSS v4.0 base score: 8.7 (High).
- CVSS v3.1 base score: 7.5 (High).
Stop Guessing, Start Proving
NodeZero® Offensive Security Platform — Rapid Response
If CVE-2025-14847 Rapid Response coverage is available in your customer portal, use it to validate whether MongoDB servers are exploitable, then re-run testing after remediation to confirm exposure has been removed.
- Run the Rapid Response test: Validate whether targeted MongoDB servers are vulnerable to CVE-2025-14847, prioritising internet-exposed deployments where zlib compression is enabled.
- Patch immediately: Upgrade to a fixed MongoDB version (8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30).
- If you cannot patch immediately: Disable zlib compression by configuring
networkMessageCompressorsornet.compression.compressorsto omitzlib(for example,snappy,zstdordisabled). - Re-run the Rapid Response test: Confirm that remediation removed exploitability.
If a MongoDB server was internet exposed and vulnerable, treat this as a potential secrets exposure event. Assume credentials and tokens that may have been present in memory could be compromised and respond accordingly.
Indicators of compromise (hunting guidance)
This is a memory disclosure vulnerability, so file hashes and dropped artifacts are not primary indicators. Focus on behavioural and traffic-based signals:
- Abnormal spikes in inbound connections to MongoDB, especially large numbers of short-lived, pre-authentication connections from the same source.
- Repeated probing patterns against MongoDB services consistent with attempts to elicit leaked memory contents.
- Suspicious use of compressed MongoDB traffic if protocol-aware network telemetry is available.
- Reports of instability or crashes coinciding with unusual inbound traffic patterns.
Affected versions and patch
Affected MongoDB versions:
- MongoDB 8.2.0 through 8.2.2
- MongoDB 8.0.0 through 8.0.16
- MongoDB 7.0.0 through 7.0.26
- MongoDB 6.0.0 through 6.0.26
- MongoDB 5.0.0 through 5.0.31
- MongoDB 4.4.0 through 4.4.29
- All MongoDB Server v4.2 versions
- All MongoDB Server v4.0 versions
- All MongoDB Server v3.6 versions
Remediation:
- Upgrade to one of the following fixed versions: 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30.
Workaround (if patching is not immediately possible):
- Disable zlib compression by explicitly omitting
zlibfromnetworkMessageCompressorsornet.compression.compressors.
References
🔗 Wiz — “MongoBleed (CVE-2025-14847) exploited in the wild”
🔗 MongoDB Advisory (Jira) — SERVER-115508
🔗 NVD — CVE-2025-14847
🔗 BleepingComputer — “CISA orders feds to patch MongoBleed flaw exploited in attacks”
