A high-severity unauthenticated information-leak vulnerability in MongoDB Server, dubbed MongoBleed after the infamous Heartbleed bug, is now being actively exploited in real-world attacks.
MongoDB has disclosed CVE-2025-14847, a critical flaw affecting multiple supported and legacy server versions that allows unauthenticated remote attackers to exfiltrate sensitive data and authentication credentials from vulnerable instances.
MongoBleed stems from improper handling of length fields in the MongoDB Server’s zlib-based network message decompression logic, which runs before authentication checks. By crafting malformed, compressed network packets, unauthenticated attackers can cause the server to mishandle decompressed message lengths, resulting in the server returning uninitialized heap memory fragments directly to the client.
The root cause lies in message_compressor_zlib.cpp, where the vulnerable code returned the allocated buffer size instead of the actual decompressed data length. This subtle but critical flaw allows undersized or malformed payloads to expose adjacent heap memory containing sensitive information, a buffer overflow vulnerability analogous to Heartbleed.
Because the flaw is reachable before authentication and requires no user interaction, Internet-exposed MongoDB servers face an immediate risk of exploitation.
According to Censys, approximately 87,000 potentially vulnerable instances are currently exposed worldwide, with Wiz research indicating that 42% of cloud environments host at least one vulnerable MongoDB instance.
A working exploit became publicly available on December 26, 2025, with confirmed real-world exploitation reported shortly thereafter. This rapid transition from proof of concept to active exploitation underscores the severity and exploitability of the flaw.
Threat actors have wasted no time leveraging the vulnerability to target internet-facing MongoDB deployments across cloud and on-premise environments.
Affected and Fixed Versions
MongoBleed impacts a broad range of MongoDB Server versions across the entire supported and legacy product line:
| MongoDB Series | Affected Versions | Fixed Version(s) |
|---|---|---|
| 8.2.x | 8.2.0 through 8.2.2 | 8.2.3 or later |
| 8.0.x | 8.0.0 through 8.0.16 | 8.0.17 or later |
| 7.0.x | 7.0.0 through 7.0.27 | 7.0.28 or later |
| 6.0.x | 6.0.0 through 6.0.26 | 6.0.27 or later |
| 5.0.x | 5.0.0 through 5.0.31 | 5.0.32 or later |
| 4.4.x | 4.4.0 through 4.4.29 | 4.4.30 or later |
| 4.2.x | All versions | None available |
| 4.0.x | All versions | None available |
| 3.6.x | All versions | None available |
The vulnerability also affects certain Linux distribution packages of rsync that utilize zlib, though exploitation details for rsync remain undetermined as of publication.
Organizations should first prioritize patching the vulnerability, then layer configuration, network, and monitoring controls to reduce exposure and detect abuse.
The MongoBleed Detector tool was also released to identify likely exploitation of CVE-2025-14847.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
