A newly disclosed MongoDB vulnerability, tracked as CVE‑2025‑14847, is now under active exploitation, with more than 87,000 potentially exposed instances identified worldwide. The flaw, nicknamed MongoBleed, carries a CVSS score of 8.7 and allows unauthenticated attackers to remotely extract sensitive data directly from server memory. Security researchers say the issue stems from a weakness in MongoDB’s default zlib compression handling.
According to OX Security, the bug arises from how MongoDB decompresses zlib‑compressed network messages, enabling attackers to send malformed packets that leak fragments of private data. Cloud security firm Wiz further explained that the vulnerable logic returns the size of the allocated buffer rather than the actual decompressed output, exposing adjacent heap memory. Because the flaw is reachable before authentication and requires no user interaction, internet‑facing MongoDB servers are considered especially vulnerable.
Censys data shows the highest concentration of exposed instances in the U.S., China, Germany, India, and France. Wiz also reported that 42% of cloud environments contain at least one MongoDB instance running a vulnerable version, affecting both public‑facing and internal systems. The leaked data could include user information, passwords, API keys, and other sensitive operational details, depending on how long an attacker maintains access.
MongoDB has released patches in versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30, with fixes already applied to MongoDB Atlas. As a temporary mitigation, administrators are advised to disable zlib compression and restrict network exposure while monitoring logs for unusual pre‑authentication activity. The vulnerability also impacts Ubuntu’s rsync package due to its use of zlib, broadening the scope of systems requiring urgent updates.
