MongoBleed (CVE-2025-14847) exploited in the wild

MongoDB has disclosed CVE-2025-14847, a high-severity vulnerability dubbed MongoBleed that affects multiple supported and legacy MongoDB Server versions. The flaw stems from improper handling in MongoDB's zlib-based network message decompression logic, which is processed before authentication. Unauthenticated attackers can exploit this vulnerability remotely with low complexity by sending malformed, compressed network packets that trigger the server to mishandle decompressed message lengths. This results in uninitialized heap memory being returned to the client, allowing attackers to leak fragments of sensitive in-memory data without valid credentials or user interaction.

The vulnerability is particularly dangerous because it can be reached prior to authentication and affects Internet-exposed MongoDB servers. A working exploit has been publicly available since December 26, 2025, with initial reports of exploitation in the wild shortly after. Research data indicates that 42% of cloud environments have at least one vulnerable MongoDB instance, with approximately 87,000 potentially vulnerable instances observed worldwide. While MongoDB Atlas instances have been automatically upgraded, self-hosted MongoDB instances remain at risk until patched. The vulnerability also affects certain Linux distribution packages like rsync that use zlib, though exploitation details for these packages remain unknown.