MongoBleed (CVE-2025-14847) is a critical, unauthenticated memory-disclosure vulnerability in MongoDB Server that lets remote attackers manipulate the OP_COMPRESSED uncompressedSize field to trigger oversized heap allocations and leak sensitive data such as cleartext credentials and API keys. A public proof-of-concept and confirmed active exploitation were published in late December 2025, and roughly 146,000 internet-exposed MongoDB instances increase the urgency of patching or applying mitigations like blocking TCP/27017 or disabling zlib compression #MongoBleed #CVE-2025-14847
Keypoints
- CVE-2025-14847 (MongoBleed) is a critical unauthenticated memory disclosure in MongoDB Serverβs handling of zlib-compressed wire-protocol messages with CVSS 8.7.
- An attacker can trigger leaks prior to authentication by sending crafted compressed messages that set an oversized uncompressedSize in the OP_COMPRESSED header.
- Leaked heap memory can include cleartext credentials, API keys, session tokens, and PII; exploitation is read-only but enables further compromise using leaked secrets.
- A public PoC exploit was published on Dec. 26, 2025, and CISA added CVE-2025-14847 to the KEV Catalog on Dec. 29, 2025, confirming active exploitation.
- Cortex Xpanse identified approximately 146,000 internet-exposed vulnerable MongoDB instances, and managed MongoDB Atlas was automatically patched while self-hosted instances require manual updates.
- Interim mitigations include blocking inbound access to TCP/27017, disabling zlib compression, network segmentation, and using Palo Alto Networks tools (Cortex XDR, XSIAM, Cortex Cloud, Cortex Xpanse) for detection and response.
MITRE Techniques
- [None ] No MITRE ATT&CK techniques were explicitly mentioned in the article.
Indicators of Compromise
- [Network Port ] Default MongoDB service port used as the remote attack vector β TCP/27017
- [Domain ] Source of public proof-of-concept exploit β github.com (public PoC repository)
- [Process Name ] Process names observed in detection queries related to targeted servers β mongod, mongod.exe
Read more: https://unit42.paloaltonetworks.com/mongobleed-cve-2025-14847/