MongoDB Vulnerability CVE-2025-14847 Under Active Exploitation Worldwide

Dec. 29, 2025 — A critical security flaw in MongoDB, identified as CVE-2025-14847 and nicknamed MongoBleed, is being actively exploited across the globe, with over 87,000 potentially vulnerable instances reported. The vulnerability carries a CVSS score of 8.7 and allows unauthenticated attackers to remotely access sensitive data stored in MongoDB server memory.

Security researchers say the flaw originates from MongoDB Server’s zlib message decompression logic. Attackers can exploit this vulnerability by sending malformed compressed network packets, potentially exposing uninitialized heap memory and leaking sensitive information such as user credentials, passwords, and API keys.

“Although an attacker might need to send large volumes of requests to extract complete databases, extended access could reveal substantial private data,” OX Security noted.

How the Vulnerability Works

The vulnerability stems from improper handling in MongoDB’s message_compressor_zlib.cpp. When decompressing zlib-compressed messages, the server returns the allocated buffer size instead of the actual decompressed length. This flaw allows attackers to read adjacent memory, even without authentication or user interaction.

Cloud security firm Wiz explained that internet-exposed MongoDB servers are particularly at risk, as the vulnerability can be triggered remotely prior to authentication. Censys data shows that most vulnerable instances are located in the U.S., China, Germany, India, and France, with 42% of cloud environments hosting at least one affected MongoDB server.

Mitigation and Updates

MongoDB users are strongly advised to update to the following patched versions:

• 8.2.3
• 8.0.17
• 7.0.28
• 6.0.27
• 5.0.32
• 4.4.30

Patches for MongoDB Atlas have already been applied. Temporary mitigations include disabling zlib compression via the networkMessageCompressors or net.compression.compressors options, restricting network exposure of MongoDB servers, and monitoring logs for unusual pre-authentication activity.

The vulnerability also affects the Ubuntu rsync package, as it relies on zlib.

U.S. Federal Action

On December 29, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-14847 to its catalog of actively exploited vulnerabilities, requiring all Federal Civilian Executive Branch (FCEB) agencies to implement fixes by January 19, 2026.

“MongoDB Server contains an improper handling of length parameter inconsistency in zlib compressed protocol headers, potentially allowing unauthenticated clients to read uninitialized heap memory,” CISA stated.

Organizations running MongoDB are urged to apply the updates immediately and implement recommended mitigations to prevent data leakage and exploitation.