MongoDB has issued an urgent security advisory warning administrators to patch a high-severity vulnerability affecting MongoDB Server deployments.
The vulnerability, tracked as CVE-2025-14847, stems from improper handling of length parameter inconsistencies in the server’s zlib compression implementation and can be exploited by unauthenticated attackers over the network.
Update: Active “MongoBleed” Exploitation Observed
January 6, 2026
Threat intelligence reporting has confirmed ongoing active exploitation of CVE-2025-14847 (MongoBleed), with exploitation activity first observed in late December following the public release of proof-of-concept exploit code. On December 29th, CISA added CVE-2025-14847 to its Known Exploited Vulnerability (KEV) catalog, reinforcing the urgency of remediation for any internet-exposed MongoDB instances.
The emergence of a GUI-based exploitation tool that automates abuse of CVE-2025-14847 (MongoBleed) is further increasing risk. The tool significantly lowers the technical barrier to exploitation, allowing opportunistic attackers to repeatedly trigger the zlib-related heap memory leak and extract uninitialized server memory without authentication.
Impact
CVE-2025-14847 allows a remote, unauthenticated attacker to trigger a condition in which the MongoDB server may return uninitialized memory from its heap. This could result in the disclosure of sensitive in-memory data, including internal state information, pointers, or other data that may assist an attacker in further exploitation.
Although direct remote code execution has not been publicly confirmed at the time of writing, memory disclosure vulnerabilities are frequently leveraged as part of more complex exploitation chains. In certain scenarios, such flaws can reduce the effectiveness of memory protections and increase the likelihood of follow-on attacks, particularly when combined with additional vulnerabilities.
Given MongoDB’s role as a core data store in many production environments, successful exploitation could expose sensitive application data and internal system details.
Affected Technologies
The vulnerability impacts MongoDB Server across a wide range of versions.
Affected versions include:
- MongoDB 8.2.0 through 8.2.3
- MongoDB 8.0.0 through 8.0.16
- MongoDB 7.0.0 through 7.0.26
- MongoDB 6.0.0 through 6.0.26
- MongoDB 5.0.0 through 5.0.31
- MongoDB 4.4.0 through 4.4.29
- All MongoDB Server 4.2, 4.0, and 3.6 releases
MongoDB has released fixed versions to address the issue.
Mitigation Guidance
MongoDB strongly recommends upgrading to a patched release as soon as possible. Fixed versions include 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30.
If immediate patching is not feasible, MongoDB advises disabling zlib compression by explicitly configuring the networkMessageCompressors or net.compression.compressors settings to omit zlib. This mitigation reduces exposure by preventing the vulnerable compression path from being used.
As a general best practice, MongoDB servers should not be exposed directly to the internet, and access should be restricted using network controls and authentication mechanisms.
Threat Context
MongoDB is one of the most widely deployed non-relational database platforms, used by tens of thousands of organizations globally, including large enterprises and critical infrastructure providers.
Vulnerabilities affecting core database services are consistently targeted once public details become available, particularly when they can be exploited remotely without authentication.
Stay Safe. Stay Secure
OP Innovate Research Team
