A newly disclosed MongoDB vulnerability tracked as CVE-2025-14847 and dubbed MongoBleed is being actively exploited worldwide, with more than 87,000 potentially vulnerable instances identified. A technical analysis by OX Security found the flaw allows unauthenticated attackers to leak server memory.
KEY FACTS
- Incident Active exploitation of a MongoDB memory leak vulnerability.
- CVE CVE-2025-14847, tracked as MongoBleed.
- Impact Unauthenticated attackers can extract sensitive data from server memory.
- Scope More than 87,000 potentially vulnerable instances identified by Censys.
- Mitigation Vendors released patches and recommend disabling zlib compression if a patch cannot be applied.
The vulnerability is in MongoDB Server’s zlib message decompression implementation in the file message_compressor_zlib.cpp. The implementation can return the allocated buffer size rather than the actual decompressed data length, which can expose adjacent heap memory to crafted compressed packets.
Successful exploitation can reveal fragments of sensitive information stored in memory, including user records, passwords and API keys. Exploitation does not require authentication or user interaction and may require many requests to assemble usable data.
Per Wiz, 42 percent of cloud environments have at least one MongoDB instance running a vulnerable version. The distribution of exposed instances is concentrated in the United States, China, Germany, India and France.
MongoDB released patches for multiple supported releases and applied fixes to Atlas. Users are advised to update to the patched releases, or temporarily disable zlib compression by omitting zlib from the networkMessageCompressors or net.compression.compressors options. Other mitigations include restricting network exposure and monitoring pre-authentication connections in logs.
WHY IT MATTERS
The flaw allows unauthenticated remote access to server memory and affects default configurations that enable zlib. Systems that remain unpatched or internet exposed face a concrete risk of data disclosure until mitigations are applied.