Full Report
A recently disclosed vulnerability affecting MongoDB instances has been reportedly exploited in the wild. Exploit code has been released for this flaw dubbed MongoBleed.Key takeaways:MongoBleed is a memory leak vulnerability affecting multiple versions of MongoDB. Exploitation of MongoDB has been observed and exploit code is publicly available . Immediate patching is recommended as the combination of public exploit code and a high number of potentially affected internet connected instances make this a flaw attackers will be targeting.BackgroundOn December 19, MongoDB issued a security advisory to address a vulnerability affecting the zlib implementation of MongoDB.CVEDescriptionCVSSv3VPRCVE-2025-14847MongoDB Uninitialized Memory Leak Vulnerability (“MongoBleed”)7.58.0*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on December 29 and reflects VPR at that time.AnalysisCVE-2025-14847 is a memory leak vulnerability affecting MongoDB instances in which zlib compression is enabled. A flaw in how MongoDB implements zlib decompression could allow unauthenticated attackers to leak uninitialized memory, which can contain sensitive data including credentials, session tokens and API keys. This flaw was dubbed “MongoBleed” by Elastic Security researcher Joe Desimone, who published a proof-of-concept demonstrating the vulnerability. While exploitation does require zlib compression to be enabled and a vulnerable MongoDB version to be internet exposed, reports of in the wild exploitation have already begun.According to Censys, there are over 87,000 potentially vulnerable instances of MongoDB that have been identified, with the largest concentration being found in the United States.Source: CensysProof of conceptOn December 25, a public proof-of-concept (PoC) was released on GitHub. This PoC demonstrates how data can be leaked from uninitialized memory. According to the PoC details, the following data could be leaked:MongoDB internal logs and stateWiredTiger storage engine configurationSystem /proc data (meminfo, network stats)Docker container pathsConnection UUIDs and client IPsSolutionMongoDB has released patches to address this vulnerability as outlined in the table below:Affected VersionFixed VersionMongoDB Server v3.6 (All Versions)Upgrade to MongoDB 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, 4.4.30 or laterMongoDB Server v4.0 (All Versions)Upgrade to MongoDB 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, 4.4.30 or laterMongoDB Server v4.2 (All Versions)Upgrade to MongoDB 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, 4.4.30 or laterMongoDB 4.4.0 through 4.4.29Upgrade to MongoDB 4.4.30 or laterMongoDB 5.0.0 through 5.0.31Upgrade to MongoDB 5.0.32 or laterMongoDB 6.0.0 through 6.0.26Upgrade to MongoDB 6.0.27 or laterMongoDB 7.0.0 through 7.0.26Upgrade to MongoDB 7.0.28 or laterMongoDB 8.0.0 through 8.0.16Upgrade to MongoDB 8.0.17 or laterMongoDB 8.2.0 through 8.2.2Upgrade to MongoDB 8.2.3 or laterAccording to the MongoDB security advisory, if immediate patching is not able to be performed, the workaround suggestion is to disable zlib compression. In addition, we recommend that you limit network access to MongoDB instances to trusted IP addresses only. While this step was not outlined in the advisory, it has been recommended as a security best practice by MongoDB.Identifying affected systemsA list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2025-14847 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.Tenable Attack Surface Management customers are able to identify assets running MongoDB services by using the filter 'Services contains mongod' as shown in the screenshot below: Get more informationMongoDB Security AdvisoryCensys: MongoBleed - Critical MongoDB Uninitialized Memory Disclosure Vulnerability [CVE-2025-14847]Join Tenable's Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Analysis Summary
# Vulnerability: MongoBleed - MongoDB Uninitialized Memory Leak
## CVE Details
- CVE ID: CVE-2025-14847
- CVSS Score: 7.5 (High)
- CWE: Not explicitly listed, but related to memory handling/initialization (Uninitialized Memory Leak).
## Affected Systems
- Products: MongoDB Server
- Versions:
- All versions of MongoDB Server v3.6, v4.0, v4.2
- MongoDB 4.4.0 through 4.4.29
- MongoDB 5.0.0 through 5.0.31
- MongoDB 6.0.0 through 6.0.26
- MongoDB 7.0.0 through 7.0.26
- MongoDB 8.0.0 through 8.0.16
- MongoDB 8.2.0 through 8.2.2
- Configurations: Requires zlib compression to be enabled and the MongoDB instance to be internet-exposed.
## Vulnerability Description
CVE-2025-14847 is a memory leak vulnerability stemming from a flaw in how MongoDB implements zlib decompression. This flaw allows unauthenticated attackers to leak uninitialized memory contents. This leaked memory could potentially contain sensitive information such as credentials, session tokens, and API keys.
## Exploitation
- Status: Exploited in the wild, Exploit code released (PoC available)
- Complexity: Likely Low (Unauthenticated remote access to an exposed instance is sufficient)
- Attack Vector: Network
## Impact
- Confidentiality: High (Leakage of sensitive data like credentials, tokens, and APIs)
- Integrity: Unknown/Potential (Depends on context of leaked data)
- Availability: Unknown/Potential (Memory leak implications)
## Remediation
### Patches
Upgrade to the following fixed versions or later:
- MongoDB Server v3.6: Upgrade to 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, 4.4.30 or later
- MongoDB Server v4.0: Upgrade to 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, 4.4.30 or later
- MongoDB Server v4.2: Upgrade to 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, 4.4.30 or later
- MongoDB 4.4.0 through 4.4.29: Upgrade to 4.4.30 or later
- MongoDB 5.0.0 through 5.0.31: Upgrade to 5.0.32 or later
- MongoDB 6.0.0 through 6.0.26: Upgrade to 6.0.27 or later
- MongoDB 7.0.0 through 7.0.26: Upgrade to 7.0.28 or later
- MongoDB 8.0.0 through 8.0.16: Upgrade to 8.0.17 or later
- MongoDB 8.2.0 through 8.2.2: Upgrade to 8.2.3 or later
### Workarounds
1. **Disable zlib compression:** If immediate patching is not feasible.
2. **Limit network access:** Restrict network access to MongoDB instances to only trusted IP addresses.
## Detection
- Indicators of Compromise: Leaked data includes MongoDB internal logs/state, WiredTiger configuration, system `/proc` data (meminfo, network stats), Docker container paths, Connection UUIDs, and client IPs.
- Detection Methods and Tools: Reference Tenable plugins available on the CVE page for CVE-2025-14847. Tenable Attack Surface Management can identify affected assets using the filter 'Services contains mongod'.
## References
- Vendor Advisories: https://jira.mongodb.org/browse/SERVER-115508
- Relevant Links: https://censys.com/advisory/cve-2025-14847 (defanged)