> ## Documentation Index
> Fetch the complete documentation index at: https://help.onetsolutions.net/llms.txt
> Use this file to discover all available pages before exploring further.

# MongoBleed (CVE-2025-14847): Unauthenticated MongoDB Memory Leak

> A flaw in MongoDB's network layer leaks fragments of server RAM — credentials, API keys, BSON — to unauthenticated attackers.

*Published on December 1, 2025*

<Warning>
  **CVE-2025-14847 — nicknamed "MongoBleed".** Pre-authentication, reachable from the internet, public PoC in circulation. Treat any MongoDB instance exposed without the patch as compromised until proven otherwise.
</Warning>

## The short version

MongoDB's network transport bundles a zlib decompressor that does not strictly validate the size of the decompressed payload. When a client advertises a compressed frame that is smaller than the buffer the server allocated for it, the server returns that buffer **without zeroing it out** — the leftover bytes are random heap data, in other words, chunks of RAM used by other requests.

The attacker does not need **any account**: compression is negotiated during the handshake, before authentication. Repeating the trick lets them collect memory fragments request after request.

## What ends up leaking, in practice

Researchers who looked at the bug report finding the following inside the leaked fragments:

* plaintext database credentials,
* administrative API keys,
* environment variables,
* fragments of BSON documents belonging to other users.

In other words: a semi-random but repeatable window into the `mongod` process memory.

## Are you exposed?

If your MongoDB instance:

* accepts connections from the internet, **or**
* accepts connections from a shared network (cloud LAN, multi-tenant VPC), **or**
* sits behind an application that surfaces detailed errors back to clients,

…treat the exposure as critical. A public PoC is circulating; in-the-wild exploitation has been confirmed.

## Patches to apply

Upgrade to (at least) the patched version for your branch:

| MongoDB branch | Minimum patched version |
| -------------- | ----------------------- |
| 8.2            | 8.2.3                   |
| 8.0            | 8.0.17                  |
| 7.0            | 7.0.28                  |
| 6.0            | 6.0.27                  |
| 5.0            | 5.0.32                  |
| 4.4            | 4.4.30                  |

## Temporary mitigation

If a patched restart is not immediately feasible:

```bash theme={null}
# Force the negotiable compressor list to exclude zlib
mongod --networkMessageCompressors=snappy,zstd
```

Or in `mongod.conf`:

```yaml theme={null}
net:
  compression:
    compressors: snappy,zstd
```

Either way, while a patch is pending: lock down access to port `27017` to the strict minimum via firewall or Security Group rules.

## Check your version

```bash theme={null}
mongosh --eval "db.version()"
```

Compare the output to the patched-version table above.

## What's next

Once patched, assume any credentials that could have transited through that instance before the fix are compromised: rotate passwords, regenerate API keys, audit access logs.

For any questions, open a ticket from your [OnetSolutions client area](https://onetsolutions.net).
