top of page

MongoBleed: Pre-Authentication Memory Disclosure in MongoDB Server (CVE-2025-14847)

December 31st, 2025

High

Our Cyber Threat Intelligence Unit has identified a high-severity vulnerability in MongoDB Server, tracked as CVE-2025-14847 and commonly known as “MongoBleed.” It allows remote, unauthenticated attackers to read uninitialized heap memory from affected database instances. The issue resides in MongoDB Server’s zlib-based network message decompression logic and can be exploited without credentials, potentially exposing sensitive in-memory data such as credentials, session tokens, API keys, or other artifacts recently processed by the server. Public proof-of-concept code and confirmed reports of active exploitation significantly increase the urgency for rapid patching. CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on December 29, 2025, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate it by January 19, 2026. 

Technical Details

  • Attack Type: Unauthenticated memory disclosure via malformed zlib-compressed protocol messages.

  • CVE Tag: CVE-2025-14847

  • Severity: High (CVSS v4.0: 8.7)

    • Note: The issue is widely referred to as a “critical” fix in public reporting.

  • Vulnerability Type: Improper handling of mismatched length fields in zlib-compressed protocol headers, leading to uninitialized heap memory being returned to the client.

  • Delivery Method:

    • A remote attacker sends specially crafted, compressed MongoDB wire-protocol messages to an exposed MongoDB server port.

    • Because the zlib decompression logic runs before authentication, the vulnerability is reachable pre-auth and does not require valid credentials or user interaction.

  • Component Affected: MongoDB Server’s zlib-based network message decompression logic in the wire protocol layer, processed prior to authentication.

  • Affected Versions:

    • MongoDB Server 3.6.x – all versions

    • MongoDB Server 4.0.x – all versions

    • MongoDB Server 4.2.x – all versions

    • MongoDB Server 4.4.x – 4.4.0 through 4.4.29

    • MongoDB Server 5.0.x – 5.0.0 through 5.0.31

    • MongoDB Server 6.0.x – 6.0.0 through 6.0.26

    • MongoDB Server 7.0.x – 7.0.0 through 7.0.27

    • MongoDB Server 8.0.x – 8.0.0 through 8.0.16

    • MongoDB Server 8.2.x – 8.2.0 through 8.2.2

  • Fixed Versions:

    • 4.4.30 and later

    • 5.0.32 and later

    • 6.0.27 and later

    • 7.0.28 and later

    • 8.0.17 and later

    • 8.2.3 and later

Image by ThisisEngineering

Impact

  • Remote, unauthenticated attackers can read uninitialized heap memory from the MongoDB server.

  • Potential exposure of sensitive artifacts such as usernames, passwords, API keys, session tokens, or other secrets processed recently by the server.

  • Possible escalation toward broader system compromise once sensitive data is harvested (e.g., credential re-use, lateral movement).

  • Elevated risk for internet-exposed MongoDB instances, particularly where zlib compression is enabled by default.

  • Broad operational impact given the large set of affected version branches, including supported and legacy releases.

  • Public “MongoBleed” proof-of-concept code and mass-scanning activity increase the likelihood of opportunistic exploitation.

Detection Method

  • Inventory and Version Scan: Enumerate all MongoDB Server instances and verify whether they are running affected versions listed above.

  • Network Monitoring: Monitor MongoDB ports (default 27017/27018 or environment-specific equivalents) for anomalous or malformed zlib-compressed payloads, especially repeated pre-auth requests from untrusted IPs.

  • Memory / Response Analysis: Identify unusual responses containing apparent heap data fragments or non-initialized memory patterns in response to compressed commands.

  • Log Review:

    • Review MongoDB logs for abnormal pre-authentication connections, compression negotiation anomalies, and decompression errors associated with zlib.

    • Use available tools (e.g., MongoBleed-focused log scanners) to flag signatures indicative of CVE-2025-14847 exploitation attempts.

  • Service Exposure Awareness: Identify MongoDB instances exposed to the public internet or untrusted networks and treat them as high-risk for MongoBleed exploitation.

  • Compression Behavior Alerts: Configure alerts on zlib negotiation failures, decompression errors, and other anomalies in MongoDB compression handling that may correlate with exploit activity.

Indicators of Compromise

There are No Indicators of Compromise (IOCs) for this Advisory.

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

  • Apply Patches:

    • Upgrade all MongoDB Server instances to the fixed versions listed above (or later) using official MongoDB packages.

    • Prioritize internet-exposed and high-sensitivity environments.

      • Note: Organizations subject to CISA directives must complete these updates by January 19, 2026.

  • Disable zlib Compression (Interim Mitigation):

    • Where immediate patching is not feasible, disable zlib compression on mongod/mongos by configuring networkMessageCompressors or net.compression.compressors to exclude zlib (e.g., use snappy, zstd, or disable compression).

  • Restrict Exposure:

    • Remove direct internet exposure for MongoDB ports wherever possible.

    • Enforce network segmentation and restrict access to trusted application tiers and administrative networks only.

  • Access Controls:

    • Maintain strong authentication and role-based authorization for MongoDB instances to limit the impact of any leaked credentials and to mitigate future issues.

  • Rotate Credentials:

    • Rotate all sensitive credentials, API keys, and session tokens that may have been resident in memory prior to patching.

      • This should specifically include database user passwords, application API keys, and X.509 certificates (if used for cluster authentication).

  • Monitoring and Logging:

    • Enable detailed MongoDB logging and centralize logs for correlation.

    • Monitor for abnormal pre-auth traffic volumes, repeated compression negotiation, and error conditions indicative of probing or exploitation.

  • Threat Intelligence Watch:

    • Track ongoing exploit campaigns, scanners, and new tooling related to MongoBleed/CVE-2025-14847 for early warning and detection rule updates.

Conclusion

CVE-2025-14847 (MongoBleed) is a high-severity information disclosure vulnerability affecting a wide range of MongoDB Server releases. It permits remote, unauthenticated memory leaks via malformed zlib-compressed messages processed before authentication, exposing sensitive in-memory data. Given the prevalence of zlib compression in affected configurations, the large number of internet-exposed MongoDB instances, and confirmed active exploitation with public PoC code, the risk of data exposure is substantial. We urge organizations to act promptly by applying patches to fixed releases, minimizing network exposure, and implementing focused monitoring for anomalous compression traffic. These steps are essential to mitigate this vulnerability and safeguard data handled by MongoDB servers.

bottom of page