On December 19, 2025, MongoDB issued an advisory for CVE-2025-14847, known as “MongoBleed,” a high-severity vulnerability in the server’s zlib-based network compression functionality. This vulnerability affects how the database handles compressed network communications and can cause it to accidentally leak sensitive information from its memory when abused by unauthenticated threat actors.
The problem occurs when MongoDB receives a specially crafted message. Instead of sending only the data that was requested, the database may also include whatever else happens to be sitting in its memory at that moment. This leaked information may include passwords, API and cloud keys, session tokens, personal data, logs, and configuration details.
Since this occurs before any login or authentication checks, a threat actor does not need valid credentials to exploit it. MongoDB recommends upgrading to a patched version as soon as possible, but a workaround is available by disabling zlib compression or using an alternative algorithm such as zstd or Snappy.
Active Exploitation
Threat actors began exploiting MongoBleed shortly after public disclosure of the vulnerability. Public proof-of-concept (PoC) exploit code has been made available that enables remote extraction of sensitive memory from exposed MongoDB servers. Security researchers have demonstrated that available exploits only require the IP address of an affected MongoDB instance to retrieve database passwords, AWS keys, and similar secrets.
Internet-wide scans from Shodan show over 87,000 potentially vulnerable MongoDB instances exposed as of December 27, including about 20,000 in the United States, 17,000 in China, and nearly 8,000 in Germany. Cloud telemetry from Wiz indicated that roughly 42% of the environments they observed had at least one vulnerable MongoDB instance, with exploitation observed in the wild.
Recommendations for CVE-2025-14847
Upgrade MongoDB to a Fixed Version
Arctic Wolf strongly recommends that customers upgrade MongoDB to the latest fixed version as soon as possible.
| Product | Affected Version | Fixed Version |
| MongoDB | Below 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, 4.4.30 | 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, 4.4.30 or above |
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
Workaround
For users who are unable to immediately upgrade, MongoDB recommends the following:
- Disable zlib compression on the MongoDB Server by starting mongod or mongos with a networkMessageCompressors or a net.compression.compressors option that explicitly omits zlib. Example safe values include snappy,zstd or disabled.
Additional details are available in the MongoDB documentation for these settings.
