top of page
perceptive_background_267k.jpg

MongoBleed (CVE-2025-14847) exploited in the wild: everything you need to know

Published:

28 December 2025 at 09:24:54

Alert date:

28 December 2025 at 10:02:08

Source:

wiz.io

Click to open the original link from this advisory

Database & Storage, Zero-Day Vulnerabilities, Data Breach & Exfiltration

CVE-2025-14847, dubbed MongoBleed, is an unauthenticated information leak vulnerability affecting MongoDB that is being actively exploited in the wild. The vulnerability allows attackers to access sensitive information without authentication. Organizations are urged to patch immediately due to active exploitation. This represents a critical security issue for MongoDB deployments worldwide.

Technical details

CVE-2025-14847 stems from a flaw in MongoDB Server's zlib-based network message decompression logic, which is processed prior to authentication. By sending malformed, compressed network packets, an unauthenticated attacker can trigger the server to mishandle decompressed message lengths, resulting in uninitialized heap memory being returned to the client. At a code level, the vulnerability was caused by incorrect length handling in message_compressor_zlib.cpp. The affected logic returned the allocated buffer size (output.length()) instead of the actual decompressed data length, allowing undersized or malformed payloads to expose adjacent heap memory.

Mitigation steps:

1. Upgrade immediately to patched versions: 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30. 2. If immediate patching is not possible, disable zlib compression by explicitly omitting it from networkMessageCompressors or net.compression.compressors. Safe alternatives include snappy, zstd, or fully disabling compression. 3. Restrict network exposure of MongoDB servers (e.g., firewall rules, private networking). 4. Monitor MongoDB logs for anomalous pre-authentication connections or unexpected crashes. 5. Plan upgrades for any remaining end-of-life MongoDB versions, as they remain permanently vulnerable.

Affected products:

MongoDB Server 8.2.0-8.2.2
MongoDB Server 8.0.0-8.0.16
MongoDB Server 7.0.0-7.0.27
MongoDB Server 6.0.0-6.0.26
MongoDB Server 5.0.0-5.0.31
MongoDB Server 4.4.0-4.4.29
MongoDB Server v4.2 (all versions)
MongoDB Server v4.0 (all versions)
MongoDB Server v3.6 (all versions)
Ubuntu rsync package

Related links:

https://en.wikipedia.org/wiki/Heartbleed
https://www.mongodb.com/community/forums/t/important-mongodb-patch-available/332977
https://censys.com/advisory/cve-2025-14847
https://ubuntu.com/security/CVE-2025-14847
https://blog.ecapuano.com/p/hunting-mongobleed-cve-2025-14847
https://github.com/Neo23x0/mongobleed-detector
https://app.wiz.io/boards/threat-center
https://jira.mongodb.org/browse/SERVER-115508
https://x.com/dez_/status/2004351287715156023
https://doublepulsar.com/merry-christmas-day-have-a-mongodb-security-incident-9537f54289eb
https://www.ox.security/blog/attackers-could-exploit-zlib-to-exfiltrate-data-cve-2025-14847/#technical_analysis

Related CVE's:

Related threat actors:

IOC's:

Anomalous pre-authentication connections to MongoDB, Unexpected crashes in MongoDB logs, Malformed compressed network packets to MongoDB servers

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page