Skip to main content
Published on December 1, 2025
CVE-2025-14847 — nicknamed “MongoBleed”. Pre-authentication, reachable from the internet, public PoC in circulation. Treat any MongoDB instance exposed without the patch as compromised until proven otherwise.

The short version

MongoDB’s network transport bundles a zlib decompressor that does not strictly validate the size of the decompressed payload. When a client advertises a compressed frame that is smaller than the buffer the server allocated for it, the server returns that buffer without zeroing it out — the leftover bytes are random heap data, in other words, chunks of RAM used by other requests. The attacker does not need any account: compression is negotiated during the handshake, before authentication. Repeating the trick lets them collect memory fragments request after request.

What ends up leaking, in practice

Researchers who looked at the bug report finding the following inside the leaked fragments:
  • plaintext database credentials,
  • administrative API keys,
  • environment variables,
  • fragments of BSON documents belonging to other users.
In other words: a semi-random but repeatable window into the mongod process memory.

Are you exposed?

If your MongoDB instance:
  • accepts connections from the internet, or
  • accepts connections from a shared network (cloud LAN, multi-tenant VPC), or
  • sits behind an application that surfaces detailed errors back to clients,
…treat the exposure as critical. A public PoC is circulating; in-the-wild exploitation has been confirmed.

Patches to apply

Upgrade to (at least) the patched version for your branch:
MongoDB branchMinimum patched version
8.28.2.3
8.08.0.17
7.07.0.28
6.06.0.27
5.05.0.32
4.44.4.30

Temporary mitigation

If a patched restart is not immediately feasible: 
# Force the negotiable compressor list to exclude zlib
mongod --networkMessageCompressors=snappy,zstd
Or in mongod.conf: 
net:
  compression:
    compressors: snappy,zstd
Either way, while a patch is pending: lock down access to port 27017 to the strict minimum via firewall or Security Group rules.

Check your version

mongosh --eval "db.version()"
Compare the output to the patched-version table above.

What’s next

Once patched, assume any credentials that could have transited through that instance before the fix are compromised: rotate passwords, regenerate API keys, audit access logs. For any questions, open a ticket from your OnetSolutions client area.