Published On: Dec 30, 2025 15:21
Advisory No: TZCERT-SA-25-0131
Source: MONGODB
Software Affected: MongoDB 8.2.0 through 8.2.2,MongoDB 8.0.0 through 8.0.16,MongoDB 7.0.0 through 7.0.26,MongoDB 6.0.0 through 6.0.26,MongoDB 5.0.0 through 5.0.31,MongoDB 4.4.0 through 4.4.29,All MongoDB Server v4.2 versions,All MongoDB Server v4.0 versions and All MongoDB Server v3.6 versions
A high-severity vulnerability (CVSS 8.7) has been identified in MongoDB and is currently being actively exploited on a global scale. Tracked as CVE-2025-14847 and codenamed MongoBleed, the flaw enables unauthenticated remote attackers to obtain sensitive information directly from MongoDB server memory. The vulnerability has been confirmed as actively exploited in the wild and is formally listed in the CISA Known Exploited Vulnerabilities (KEV) Catalogue, underscoring the urgency for immediate remediation.
The vulnerability stems from an implementation flaw in MongoDB Server’s zlib-based network message decompression logic (message_compressor_zlib.cpp). Due to improper handling of decompressed message lengths, MongoDB mistakably return uninitialized heap memory to remote attackers. This flaw can be exploited prior to authentication by sending specially crafted malformed compressed network packets, without requiring valid credentials or user interaction. Security researchers determined that the affected logic incorrectly returns the allocated buffer size rather than the actual length of the decompressed data, resulting in the exposure of adjacent memory contents.
Indicators of compromise associated with this vulnerability include repeated malformed compressed network requests, unusual MongoDB connections occurring prior to authentication, abnormal memory-related events recorded in MongoDB logs, and unexpected access patterns observed in the absence of valid credentials.
Successful exploitation of CVE-2025-14847 may result in:
1. Leakage of sensitive data from MongoDB server memory;
2. Exposure of user information;
3. Disclosure of passwords and API keys;
4. Progressive data harvesting over time;
5. Increased risk for internet-facing MongoDB deployments.
MongoDB has released patches addressing this vulnerability. Users and administrators are encouraged to apply necessary updates.
A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.
