A high-severity unauthenticated information-leak vulnerability in MongoDB Server, dubbed MongoBleed after the notorious Heartbleed bug, is now being actively exploited in real-world assaults.
MongoDB has disclosed CVE-2025-14847, a vital flaw affecting a number of supported and legacy server variations that permits unauthenticated distant attackers to exfiltrate delicate knowledge and authentication credentials from susceptible situations.
MongoBleed stems from improper dealing with of size fields within the MongoDB Server’s zlib-based community message decompression logic, which runs earlier than authentication checks. By crafting malformed, compressed community packets, unauthenticated attackers could cause the server to mishandle decompressed message lengths, ensuing within the server returning uninitialized heap reminiscence fragments on to the consumer.
The basis trigger lies in message_compressor_zlib.cpp, the place the susceptible code returned the allotted buffer measurement as a substitute of the particular decompressed knowledge size. This refined however vital flaw permits undersized or malformed payloads to reveal adjoining heap reminiscence containing delicate info, a buffer overflow vulnerability analogous to Heartbleed.
As a result of the flaw is reachable earlier than authentication and requires no consumer interplay, Web-exposed MongoDB servers face a right away danger of exploitation.
In line with Censys, roughly 87,000 probably susceptible situations are at present uncovered worldwide, with Wiz analysis indicating that 42% of cloud environments host no less than one susceptible MongoDB occasion.
A working exploit grew to become publicly obtainable on December 26, 2025, with confirmed real-world exploitation reported shortly thereafter. This speedy transition from proof of idea to energetic exploitation underscores the severity and exploitability of the flaw.
Risk actors have wasted no time leveraging the vulnerability to focus on internet-facing MongoDB deployments throughout cloud and on-premise environments.
Affected and Mounted Variations
MongoBleed impacts a broad vary of MongoDB Server variations throughout all the supported and legacy product line:
MongoDB SeriesAffected VersionsFixed Model(s)8.2.x8.2.0 by 8.2.28.2.3 or later8.0.x8.0.0 by 8.0.168.0.17 or later7.0.x7.0.0 by 7.0.277.0.28 or later6.0.x6.0.0 by 6.0.266.0.27 or later5.0.x5.0.0 by 5.0.315.0.32 or later4.4.x4.4.0 by 4.4.294.4.30 or later4.2.xAll variationsNone obtainable4.0.xAll variationsNone obtainable3.6.xAll variationsNone obtainable
The vulnerability additionally impacts sure Linux distribution packages of rsync that make the most of zlib, although exploitation particulars for rsync stay undetermined as of publication.
Organizations ought to first prioritize patching the vulnerability, then layer configuration, community, and monitoring controls to scale back publicity and detect abuse.
The MongoBleed Detector device was additionally launched to establish seemingly exploitation of CVE-2025-14847.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
