MongoBleed, tracked as CVE-2025-14847, represents a critical unauthenticated memory-leak vulnerability in MongoDB’s zlib-based network compression, allowing remote attackers to extract sensitive uninitialized heap memory from exposed servers. CISA added it to the KEV catalog on December 29, 2025, confirming active worldwide exploitation against over 87,000 internet-facing instances.
Vulnerability Details
CVE-2025-14847 (CVSS 8.7) affects MongoDB Server versions 4.4–8.2 prior to patches when zlib compression is enabled, stemming from improper length parameter handling during decompression of crafted network messages. Disclosure occurred on December 18, 2025, with rapid in-the-wild exploitation reported by multiple security firms.
Exploitation Patterns
Active attacks focus on opportunistic data exfiltration via public PoC exploits. Geographic hotspots include the United States (~20,000 instances), China (~17,000), Germany (~8,000), India, and France among 87k+ exposed servers. Threat actors remain unattributed to specific APTs or ransomware groups, with automated scanners driving the campaigns. Affected sectors span cloud-hosted and self-managed MongoDB in finance, healthcare, and tech, with 42% of scanned environments vulnerable.
CISA KEV Implications
Federal agencies must apply mitigations by January 19, 2026, per BOD 22-01, elevating prioritization in vulnerability management workflows. This signals imminent mass scanning by both defenders and attackers.
Mitigations and Detection
Mitigation for CVE-2025-14847 (MongoBleed) requires immediate patching to MongoDB versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30, alongside disabling zlib compression by configuring net.compression.compressors: snappy,zstd or disabled in mongod.conf followed by service restart.
Network hardening includes firewalling ports 27017/27018 to trusted IPs only, rotating any exposed credentials, and monitoring logs for anomalous pre-authentication traffic or repeated compression probes detectable via YARA/Suricata rules and version scanning tools.
