Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client.
Severity level
CVSS Score: 8.7/High
Description:- CVE-2025-14847, known as MongoBleed, is a heap-memory disclosure vulnerability in MongoDB Server. It arises in the server’s zlib compression handling logic, specifically in how it parses compressed network messages. By sending specially crafted messages with inconsistent length fields, an attacker can cause MongoDB to return uninitialized heap memory, potentially exposing sensitive in-memory data, without any authentication.
Affected Versions :-
- 8.2.x < 8.2.3.
- 8.0.x < 8.0.17.
- 7.0.x < 7.0.28.
- 6.0.x < 6.0.27.
- 5.0.x < 5.0.32.
- 4.4.x < 4.4.30.
- All 4.2.x, 4.0.x.
- 3.6.x versions.
Impact:- MongoDB can handle sensitive information such as PII, authentication credentials, tokens, keys, and operational metadata. Memory leaks may expose authentication tokens and secrets, database session data, and PII. Even a read-only leak can enable credential compromise, leading to data theft or full system takeover.
Resolution:-
- Patch immediately to: 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, 4.4.30, or newer.
- If patching is delayed: Disable zlib compression using networkMessageCompressors without zlib, and restrict network access to trusted IPs only.
- Enable verbose JSON logging to track connection metadata and parsing errors.
- Scan logs for bursty connections with missing metadata from suspicious IPs.
- If exploitation is suspected, contact infosec@yorku.ca, rotate secrets such as tokens, keys, and credentials that may have been leaked.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-14847
https://www.wiz.io/blog/mongobleed-cve-2025-14847-exploited-in-the-wild-mongodb
https://www.varonis.com/blog/mongobleed-cve-2025-14847-memory-leak-vulnerability
UIT - Information Security