In late December 2025 MongoBleed (CVE-2025-14847) went public, a memory-disclosure vulnerability in MongoDB Server that, by its mechanics and its name, echoes OpenSSL’s infamous Heartbleed. On December 29, the U.S. agency CISA confirmed active exploitation and added it to its Known Exploited Vulnerabilities (KEV) catalog, setting a patching deadline for federal agencies of January 19, 2026.
What the vulnerability is
The flaw lies in how MongoDB Server processes network packets when zlib compression is enabled (a default configuration in many deployments). The official NVD description is precise: “Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client.”
In other words: an attacker sends crafted compressed messages with a manipulated length field, and the server responds by returning chunks of process memory it should never expose. It is a classic memory over-read pattern, identical in spirit to Heartbleed.
Who it affects
The vulnerability affects a very wide range of MongoDB Server versions, including the 4.4, 5.0, 6.0, 7.0, 8.0 and 8.2 branches. The fixed versions are 4.4.30, 5.0.32, 6.0.27, 7.0.28, 8.0.17 and 8.2.3 and later. The key condition is having zlib compression active and the MongoDB port reachable over the network.
Exposure is massive: Shadowserver located more than 74,000 exposed instances and Censys tracked over 87,000 IP addresses potentially vulnerable. According to Wiz, 42% of visible cloud systems had at least one MongoDB instance running an affected version.
Severity
It is rated high, with a CVSS 4.0 score of 8.7 (and 7.5 under CVSS 3.1). The vector confirms how dangerous it is: network-exploitable (AV:N), low complexity (AC:L), no authentication (PR:N) and no user interaction (UI:N), with high confidentiality impact.
The real danger is what can be extracted from that leaked memory: credentials, API and cloud keys, session tokens, internal logs and personally identifiable information (PII). An Elastic researcher published a proof of concept demonstrating the leak of sensitive data from unpatched hosts, raising the risk of widespread exploitation.
Mitigation and patch
MongoDB fixed the flaw on December 19, 2025. The primary recommendation is to upgrade to the patched versions listed above. If immediate upgrade is not feasible, the temporary mitigation is to disable zlib compression on the server, which closes the attack vector.
As additional measures, always apply the principle of minimal exposure: do not expose the MongoDB port directly to the internet, restrict access via firewall and network segmentation, and enforce authentication. Given active exploitation and a public PoC, this patch should be treated as a top priority across any inventory.