EXECUTIVE SUMMARY:
A high-severity vulnerability known as MongoBleed CVE-2025-14847 has been identified in MongoDB Server that allows unauthenticated remote attackers to exploit improper handling of zlib-compressed network messages. By sending specially crafted requests, an attacker can force the database to return uninitialized heap memory, potentially exposing sensitive in-memory data such as internal states, memory pointers, credentials, or authentication tokens. The flaw is exploitable without valid credentials, significantly expanding the attack surface for internet-exposed MongoDB instances. The issue affects multiple MongoDB releases, including 8.2.0 through 8.2.3, 8.0.0 through 8.0.16, 7.0.0 through 7.0.26, 6.0.0 through 6.0.26, 5.0.0 through 5.0.31, 4.4.0 through 4.4.29, All versions of 4.2, 4.0, and 3.6. Due to the ease of exploitation and potential data exposure, the vulnerability carries a CVSS score of 8.7, indicating a high security impact.
RECOMMENDATION:
We strongly recommend you update MongoDB Server to version 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30.
REFERENCES:
The following reports contain further technical details: