7 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
CVE-2025-14847, also known as “MongoBleed,” is an unauthenticated memory disclosure vulnerability in MongoDB Server caused by improper handling of zlib-compressed network messages. By sending specially crafted packets, a remote unauthenticated attacker can cause the server to leak uninitialized heap memory prior to authentication enforcement. The exposed memory may contain sensitive information such as credentials, API keys, session tokens, configuration details, or other runtime data, posing significant risk to affected MongoDB deployments, especially those accessible from untrusted networks.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Unauthenticated Memory Disclosure in MongoDB Server (“MongoBleed”)
CVSS Score: 7.5 (CVSS 3.1)
Identifier: CVE-2025-14847
Exploit or Proof of Concept (PoC):
Public proof-of-concept exploit code is available, and exploitation in the wild has been observed.
Update/ Patch:
MongoDB has released fixes across supported server branches and has documented the remediation and version status in the following issue page:
Fixed versions include:
MongoDB 8.2 — fixed in 8.2.3
MongoDB 8.0 — fixed in 8.0.17
MongoDB 7.0 — fixed in 7.0.28
MongoDB 6.0 — fixed in 6.0.27
MongoDB 5.0 — fixed in 5.0.32
MongoDB 4.4 — fixed in 4.4.30
Older end-of-life branches do not receive patches; migration to a supported release is strongly recommended.
Where immediate upgrading is not possible, a temporary mitigation is to disable zlib compression by removing zlib from the configured network message compressors and using alternatives such as snappy or zstd.
Description:
CVE-2025-14847, also referred to as “MongoBleed,” is a vulnerability in MongoDB Server’s handling of compressed network messages. When processing specially crafted zlib-compressed packets, the server may return portions of uninitialized heap memory to an unauthenticated client. The leaked memory may contain credentials, API keys, session tokens, configuration data, or other sensitive runtime information. The flaw occurs before authentication enforcement, allowing attackers to extract data without logging in.
Mitigation Recommendation:
Identify all MongoDB server instances and determine whether they are running affected versions, prioritizing those reachable from untrusted networks.
Upgrade affected deployments to one of the fixed versions listed above and verify the new build version after upgrade.
If upgrading cannot be completed immediately, disable zlib network compression and restrict access to MongoDB services to trusted networks only.
Avoid exposing MongoDB listener ports directly to the internet; place instances behind firewalls, VPNs, or trusted access gateways.
