MongoDB recently patched CVE-2025-14847, a vulnerability affecting multiple supported and legacy MongoDB Server versions. According to the disclosure, the flaw can be exploited remotely by unauthenticated attackers with low complexity, potentially leading to the exfiltration of sensitive data and credentials.
Dubbed MongoBleed after the notoriously famous Heartbleed, the vulnerability has a CVSS score of 8.7 and is triggered by improper handling of zlib-compressed network traffic, allowing unauthenticated attackers to leak uninitialized memory and potentially steal sensitive data such as credentials or tokens from affected MongoDB servers. According to security researchers at Wiz, the flaw is being actively exploited in the wild.
As stated in MongoDB’s announcement, managed instances on MongoDB Atlas have already been patched, but self-hosted MongoDB deployments remain at risk if not updated. Organizations are strongly advised to apply security patches immediately or disable compression and restrict network exposure. Merav Bar, Amitai Cohen, Yaara Shriki, and Gili Tikochinski explain:
CVE-2025-14847 stems from a flaw in MongoDB Server’s zlib-based network message decompression logic, which is processed prior to authentication. By sending malformed, compressed network packets, an unauthenticated attacker can trigger the server to mishandle decompressed message lengths, resulting in uninitialized heap memory being returned to the client.
According to the Wiz article, 42% of cloud environments have at least one vulnerable MongoDB instance, and Censys reports roughly 87,000 potentially exposed servers worldwide. Since the flaw can be exploited without authentication or user interaction, database servers exposed to the internet face especially high risk. The Wiz team adds:
At a code level, the vulnerability was caused by incorrect length handling in message_compressor_zlib.cpp. The affected logic returned the allocated buffer size (output.length()) instead of the actual decompressed data length, allowing undersized or malformed payloads to expose adjacent heap memory.
The bug affects all MongoDB versions released since 2017. Gourav Boiri, software developer at Linkfields Innovations, comments:
MongoBleed highlights how even mature databases can become critical attack surfaces when exposed or unpatched. Pre-auth memory disclosure, active exploitation, and 87K+ exposed instances – a reminder that database security is infrastructure security.
In the “MongoBleed Explained Simply” article, Stanislav Kozlovski explains how the vulnerability works and warns:
It is dead-easy to exploit – it only requires connectivity to the database (no auth needed). It is fixed as of writing, but some EOL versions (3.6, 4.0, 4.2) will not get it.
Eric Capuano, InfoSec founder and practitioner, explains instead how to detect from the logs if database servers have been exploited. In a popular Reddit thread, user misteryub argues:
The argument many people make is open source code is more secure than closed source code or security issues would be found much quicker in open source code. The existence of a bug of this caliber existed is a counter argument to the former.
Kozlovski disagrees:
When people say that open-source is more secure, they usually mean open-source projects with an active community. Mongo seemingly didn’t have this in 2017, as the PR which introduced the bug wasn’t reviewed in the public GitHub.
MongoDB patched builds are now available for all supported versions from 4.4 through 8.0. Forks like Percona Server for MongoDB are also affected by the upstream vulnerability.
