MongoBleed — CVE-2025-14847

A single malformed compressed message can expose any memory inside MongoDB servers. Shodan shows over 213,000 publicly-accessible MongoDB instances — no authentication required.

A bug in MongoDB's zlib message-compression lets unauthenticated attackers read arbitrary heap memory in versions since 2017 by abusing an oversized uncompressedSize and BSON parsing.

Source: Big Data Stream (Substack) — Source link

Highlights

Key points

• Attack sends a false, overly-large uncompressedSize to force a large heap allocation.
• Decompressed data length is not validated, leaving unreferenced heap garbage in the buffer.
• C++ malloc can expose previous memory contents (passwords, API keys, PII, configs).
• Malformed BSON without a null terminator causes the server to scan heap memory for the terminator and read sensitive bytes into field names.
• Server returns helpful error messages (invalid BSON field name) that leak the mined heap contents to the attacker.
• Mitigations: update to patched releases or disable zlib network compression as a short-term fix.
• Because parsing occurs pre-auth, any internet-accessible instance is at risk, making this a web-scale issue.

Timeline

• June 1, 2017 — Commit introducing the bug gets merged.
• Dec 17, 2025 — Code for the fix was written (original commit date).
• Dec 19, 2025 — CVE-2025-14847 officially published; MongoDB 8.0.17 containing the fix released.
• Dec 22, 2025 — Fix merged to the public MongoDB repository.
• Dec 24, 2025 — MongoDB announced the patch and said Atlas databases were fully patched.

Why this matters

Pre-auth arbitrary heap disclosure can expose credentials, API keys, customer data and system secrets. The bug lived in code since 2017, is trivial to exploit over the network, and affects hundreds of thousands of public instances — creating a high-impact, web-scale data-exfiltration risk. Patching or disabling zlib compression is an urgent, low-effort mitigation.