MongoDB Patches MongoBleed Vulnerability Across All Versions

MongoDB's Security Engineering team disclosed CVE-2025-14847 on December 12, 2025, a critical vulnerability nicknamed "MongoBleed" that allows unauthenticated attackers to remotely leak sensitive data from MongoDB server memory. With a CVSS score of 8.7 and active exploitation confirmed by CISA on December 29, organizations are urged to patch immediately.

Technical Details and Impact

The vulnerability stems from incorrect length handling in MongoDB's zlib message decompression implementation (message_compressor_zlib.cpp). The affected code returns the allocated buffer size instead of the actual decompressed data length, allowing malformed payloads to expose adjacent heap memory. Since zlib compression is enabled by default, all MongoDB instances running affected versions are vulnerable. Successful exploitation can leak sensitive information including user credentials, passwords, and API keys.

Affected Versions and Patches

The vulnerability impacts MongoDB versions 8.2.0-8.2.2, 8.0.0-8.0.16, 7.0.0-7.0.27, 6.0.0-6.0.26, 5.0.0-5.0.31, 4.4.0-4.4.29, and all v4.2, v4.0, and v3.6 releases. MongoDB released patches in versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30. Organizations unable to patch immediately should disable zlib compression by configuring networkMessageCompressors to omit zlib, restrict network exposure of MongoDB servers, and monitor logs for anomalous pre-authentication connections.