Name of the Vulnerable Software and Affected Versions
MongoDB versions 3.6 through 8.2.3
MongoDB Server versions 4.0 through 4.4.30
MongoDB Server versions 5.0 through 5.0.32
MongoDB Server versions 6.0 through 6.0.27
MongoDB Server versions 7.0 through 7.0.28
MongoDB Server versions 8.0 through 8.0.17
MongoDB Server versions 8.2 through 8.2.3
Description
MongoDB is affected by a critical vulnerability (CVE-2025-14847), dubbed "MongoBleed," which allows unauthenticated remote attackers to read uninitialized heap memory. This is due to improper handling of length parameter inconsistency in Zlib compressed protocol headers. The vulnerability allows attackers to extract sensitive information, including credentials, API keys, and session tokens, without authentication. This flaw is actively being exploited in the wild, with over 87,000 instances potentially exposed globally. A public proof-of-concept exploit is available, simplifying exploitation. The vulnerability is similar in severity to the Heartbleed vulnerability.
Recommendations
MongoDB versions prior to 3.6 are not affected.
Upgrade to MongoDB version 8.2.3 or later.
Upgrade to MongoDB Server version 4.4.30 or later.
Upgrade to MongoDB Server version 5.0.32 or later.
Upgrade to MongoDB Server version 6.0.27 or later.
Upgrade to MongoDB Server version 7.0.28 or later.
Upgrade to MongoDB Server version 8.0.17 or later.
If an immediate upgrade is not possible, disable zlib compression.
Restrict network access to MongoDB servers.
Monitor for unusual activity and potential exploitation attempts.
Rotate any potentially compromised credentials.