A recently disclosed security vulnerability in MongoDB has come under active exploitation in the wild, with over 87,000 potentially susceptible instances identified across the world.
The vulnerability in question is CVE-2025-14847 (CVSS score: 8.7), which allows an unauthenticated attacker to remotely leak sensitive data from the MongoDB server memory. It has been codenamed MongoBleed.
“A flaw in zlib compression allows attackers to trigger information leakage,” OX Security said. “By sending malformed network packets, an attacker can extract fragments of private data.”
The problem is rooted in MongoDB Server’s zlib message decompression implementation (“message_compressor_zlib.cpp”). It affects instances with zlib compression enabled, which is the default configuration. Successful exploitation of the shortcoming could allow an attacker to extract sensitive information from MongoDB servers, including user information, passwords, and API keys.
“Although the attacker might need to send a large amount of requests to gather the full database, and some data might be meaningless, the more time an attacker has, the more information could be gathered,” OX Security added.
Cloud security company Wiz said CVE-2025-14847 stems from a flaw in the zlib-based network message decompression logic, enabling an unauthenticated attacker to send malformed, compressed network packets to trigger the vulnerability and access uninitialized heap memory without valid credentials or user interaction.
“The affected logic returned the allocated buffer size (output.length()) instead of the actual decompressed data length, allowing undersized or malformed payloads to expose adjacent heap memory,” security researchers Merav Bar and Amitai Cohen said. “Because the vulnerability is reachable prior to authentication and does not require user interaction, Internet-exposed MongoDB servers are particularly at risk.”
Data from attack surface management company Censys shows that there are more than 87,000 potentially vulnerable instances, with a majority of them located in the U.S., China, Germany, India, and France. Wiz noted that 42% of cloud environments have at least one instance of MongoDB in a version vulnerable to CVE-2025-14847. This includes both internet-exposed and internal resources.
The exact details surrounding the nature of attacks exploiting the flaw are presently unknown. Users are advised to update to MongoDB versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30. Patches for MongoDB Atlas have been applied. It’s worth noting that the vulnerability also affects the Ubuntu rsync package, as it uses zlib.
As temporary workarounds, it’s recommended to disable zlib compression on the MongoDB Server by starting mongod or mongos with a networkMessageCompressors or a net.compression.compressors option that explicitly omits zlib. Other mitigations include restricting network exposure of MongoDB servers and monitoring MongoDB logs for anomalous pre-authentication connections.
Update
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-14847 to its catalog of exploited vulnerabilities on December 29, 2025, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by January 19, 2026.
“MongoDB Server contains an improper handling of length parameter inconsistency vulnerability in zlib compressed protocol headers,” CISA said. “This vulnerability may allow a read of uninitialized heap memory by an unauthenticated client.”
