Full Report
Detect and mitigate CVE-2025-14847, an unauthenticated information leak vulnerability in MongoDB. Exploitation has been observed in the wild. Organizations should patch urgently.
Analysis Summary
# Vulnerability: MongoBleed - Unauthenticated Information Leak in MongoDB
## CVE Details
- CVE ID: CVE-2025-14847
- CVSS Score: Not explicitly provided, but described as **high-severity**.
- CWE: Related to improper handling of compressed network packets/length checking.
## Affected Systems
- Products: MongoDB Server, certain distributions of rsync (using zlib).
- Versions:
- MongoDB Server: 8.2.0 through 8.2.2, 8.0.0 through 8.0.16, 7.0.0 through 7.0.27, 6.0.0 through 6.0.26, 5.0.0 through 5.0.31, 4.4.0 through 4.4.29, and all v4.2, v4.0, and v3.6 versions.
- Note: MongoDB Atlas instances were automatically upgraded.
- Configurations: Self-hosted instances utilizing zlib compression for network messages. Versions that are end-of-life (EOL) remain permanently vulnerable.
## Vulnerability Description
CVE-2025-14847 is an unauthenticated information leak vulnerability stemming from a flaw in MongoDB Server's zlib-based network message decompression logic, which executes prior to authentication checks. An attacker can send malformed, compressed network packets, causing the system to process incorrect length handling in `message_compressor_zlib.cpp`. This results in vulnerable servers returning uninitialized heap memory—containing sensitive, in-memory data fragments or credentials—to the unauthenticated client.
## Exploitation
- Status: **Exploited in the wild**. A working exploit has been publicly available since December 26, 2025.
- Complexity: **Low**. Exploitation is remote and requires no user interaction.
- Attack Vector: **Network** (Remote, Unauthenticated).
## Impact
- Confidentiality: **High** (Exfiltration of sensitive data and credentials).
- Integrity: Low/Unknown based on description (Focus is on leak, not modification).
- Availability: Low/Unknown based on description (Exploit may cause server crashes, but this is not the primary documented impact).
## Remediation
### Patches
Organizations must upgrade immediately to patched versions:
- 8.2.3
- 8.0.17
- 7.0.28
- 6.0.27
- 5.0.32
- 4.4.30
- Plan upgrades for remaining end-of-life versions.
### Workarounds
If immediate patching is not possible:
1. Disable zlib compression by explicitly omitting it from the configuration parameter `networkMessageCompressors` or `net.compression.compressors`.
2. Utilize safe compression alternatives such as `snappy` or `zstd`, or fully disable network compression.
3. Restrict network exposure of MongoDB servers using firewall rules or private networking.
## Detection
- Indicators of Compromise: Anomalous network connections to MongoDB ports occurring **prior to authentication**.
- Detection Methods and Tools: Monitor MongoDB logs for unexpected crashes or pre-authentication traffic patterns. External detection tools (e.g., those built by Eric Capuano or Florian Roth, though specific tool URLs are not listed here) can be utilized to hunt for the vulnerability.
## References
- Vendor Advisory: MongoDB community forum announcement ([defanged: https://www.mongodb.com/community/forums/t/important-mongodb-patch-available/332977])
- Detection Guidance: Guided hunting methodology ([defanged: https://blog.ecapuano.com/p/hunting-mongobleed-cve-2025-14847])
- External Reporting: Advisory from Censys ([defanged: https://censys.com/advisory/cve-2025-14847])