top of page
perceptive_background_267k.jpg

MongoDB Vulnerability CVE-2025-14847 Under Active Exploitation Worldwide

Published:

29 december 2025 om 07:49:00

Alert date:

29 december 2025 om 08:02:26

Source:

thehackernews.com

Click to open the original link from this advisory

Database & Storage, Zero-Day Vulnerabilities, Data Breach & Exfiltration

A critical MongoDB vulnerability CVE-2025-14847 (CVSS 8.7), dubbed MongoBleed, is under active exploitation worldwide. The flaw allows unauthenticated attackers to remotely leak sensitive data from MongoDB server memory. Over 87,000 potentially vulnerable MongoDB instances have been identified globally. The vulnerability enables unauthorized access to sensitive information stored in server memory without requiring authentication. Organizations running MongoDB deployments are at high risk and should implement immediate security measures.

Technical details

CVE-2025-14847 (CVSS score: 8.7) is a flaw in MongoDB's zlib compression implementation in message_compressor_zlib.cpp. The vulnerability allows unauthenticated attackers to remotely leak sensitive data from MongoDB server memory by sending malformed network packets. The flaw stems from the zlib-based network message decompression logic returning the allocated buffer size instead of the actual decompressed data length, allowing undersized or malformed payloads to expose adjacent heap memory. The vulnerability affects instances with zlib compression enabled (default configuration) and is reachable prior to authentication without user interaction.

Mitigation steps:

Update to MongoDB versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30
Disable zlib compression on MongoDB Server by starting mongod or mongos with networkMessageCompressors or net.compression.compressors option that explicitly omits zlib
Restrict network exposure of MongoDB servers
Monitor MongoDB logs for anomalous pre-authentication connections
Apply patches for MongoDB Atlas (already available)

Affected products:

MongoDB Server (all versions prior to patches)
MongoDB versions requiring update to: 8.2.3
8.0.17
7.0.28
6.0.27
5.0.32
4.4.30
MongoDB Atlas (patches applied)
Ubuntu rsync package (uses zlib)

Related links:

https://thehackernews.com/2025/12/new-mongodb-flaw-lets-unauthenticated.html
https://github.com/joe-desimone/mongobleed
https://www.ox.security/blog/attackers-could-exploit-zlib-to-exfiltrate-data-cve-2025-14847/#technical_analysis
https://www.wiz.io/blog/mongobleed-cve-2025-14847-exploited-in-the-wild-mongodb
https://censys.com/advisory/cve-2025-14847
https://www.mongodb.com/community/forums/t/important-mongodb-patch-available/332977
https://ubuntu.com/security/CVE-2025-14847

Related CVE's:

Related threat actors:

IOC's:

Malformed compressed network packets sent to MongoDB servers, Anomalous pre-authentication connections in MongoDB logs, Large volume of requests targeting MongoDB instances with zlib compression enabled

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page