Dubbed "MongoBleed," CVE-2025-14847 allows unauthenticated attackers to exfiltrate sensitive data from MongoDB heap memory. With 87,000 instances exposed, active exploitation is now confirmed.
Security researchers have issued an urgent warning regarding CVE-2025-14847, a high-severity vulnerability in MongoDB dubbed "MongoBleed." The flaw allows remote, unauthenticated attackers to leak sensitive information directly from a server's memory. As of December 28, 2025, security firm Wiz has confirmed that exploitation is occurring in the wild, targeting thousands of exposed databases.
The "So What?" is simple: if you run a self-hosted MongoDB instance with default compression settings, an attacker could potentially scrape your server's memory for credentials, session tokens, or actual database fragments—all without needing a single password. With Shodan and Censys identifying between 87,000 and 100,000 potentially vulnerable instances, the scale of this threat is massive.
While MongoDB Atlas (the managed cloud service) users have already been patched automatically, those managing their own infrastructure—whether on-premise, in containers, or via Kubernetes—must take manual action immediately.
The vulnerability stems from a flaw in how MongoDB handles zlib-compressed network messages. When a client sends a specially crafted, compressed request with mismatched length fields, the server’s decompression logic fails to validate the data correctly.
Instead of returning only the intended data, the server "bleeds" uninitialized heap memory back to the attacker. Because this process happens during the initial network handshake, it occurs before authentication. This means anyone who can reach your MongoDB port (default 27017) can potentially trigger the leak.
Reports indicate that while the leak happens in fragments, persistent attackers can automate thousands of requests to reconstruct sensitive data. A public Proof-of-Concept (PoC) has been published by Joe Desimone, fueling the recent surge in active exploitation.
| Major Branch | Vulnerable Versions | Patched Version |
| 8.2 | 8.2.0 – 8.2.2 | 8.2.3 |
| 8.0 | 8.0.0 – 8.0.16 | 8.0.17 |
| 7.0 | 7.0.0 – 7.0.27 | 7.0.28 |
| 6.0 | 6.0.0 – 6.0.26 | 6.0.27 |
| 5.0 | 5.0.0 – 5.0.31 | 5.0.32 |
| 4.4 | 4.4.0 – 4.4.29 | 4.4.30 |
| Legacy | All 4.2, 4.0, 3.6 series | Upgrade to supported |
Comparative Context: The scale of this exposure is reminiscent of the "ransomware waves" of 2017 and 2020, where tens of thousands of unprotected MongoDB instances were wiped. However, MongoBleed is more insidious; it doesn't always leave a "ransom note"—it quietly drains data.
This incident highlights a persistent trend in the "low-level" attack surface of popular databases. By targeting the compression layer—a component that sits beneath the application logic—attackers bypass virtually all standard security controls like RBAC or IP whitelisting within the database itself.
Historically, MongoDB has struggled with wide-scale exposure due to misconfigurations. MongoBleed represents a shift where the software itself provides a "front door" for data exfiltration, regardless of how strong your database passwords are. If your instance is internet-facing, it is essentially a glass house until patched.
mongod --version to see if you are on a vulnerable branch.nmap or check your cloud security groups.If you cannot upgrade immediately, you must disable the vulnerable compression logic:
mongod or mongos instance with the following flag: --networkMessageCompressors "snappy,zstd"
