CVE-2025-14847 exposes MongoDB Server to unauthenticated remote attacks through malformed zlib-compressed protocol headers, leaking uninitialized heap memory on port 27017. This high-severity flaw (CVSS 8.7) affects versions before 8.2.3, 8.0.17, 7.0.28, and older branches, with public PoCs enabling data exfiltration like credentials or keys. No wild exploits reported yet, but rapid patching is critical for exposed instances.
Technical Breakdown
The vulnerability arises from inconsistent length parameter handling in zlib decompression (CWE-130), where attackers craft oversized compressed payloads. MongoDB servers echo back heap fragments in responses, bypassing auth when compression is enabled by default.
- Trigger: Send malformed BSON over TCP/27017 with zlib flag.
- Impact: Arbitrary heap reads; potential RCE chaining via leaked pointers.
- Detection: Network logs show anomalous compression errors; tools like runZero confirm exposure
Affected Systems
| MongoDB Branch | Vulnerable Versions | Fixed Versions |
|---|---|---|
| 8.x | < 8.2.3 | 8.2.3 |
| 8.0.x | < 8.0.17 | 8.0.17 |
| 7.0.x | < 7.0.28 | 7.0.28 |
| 6.0.x | < 6.0.27 | 6.0.27 |
| 5.0.x | < 5.0.32 | 5.0.32 |
| 4.4.x | < 4.4.30 | 4.4.30 |
Red Hat and HKCERT advisories confirm impacts across distros.
Mitigation Steps
- Upgrade to patched versions immediately via MongoDB repos.
- Firewall port 27017; use TLS and auth; disable zlib compression if unused (
net.compression.compressors: snappy).
Very nice.
Pingback: MongoBleed Now in CISA KEV After Global Exploitation Wave – TheCyberThrone