CVE-2025-14847 in MongoDB Under Exploitation

A vulnerability in MongoDB could allow a remote attacker to extract secrets, credentials or other sensitive data

Threat ID:: CC-4734
Threat Severity:: Medium
Published:: 30 December 2025 9:42 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

A vulnerability in MongoDB could allow a remote attacker to extract secrets, credentials or other sensitive data

Affected platforms

The following platforms are known to be affected:

MongoDB

8.2.0 to 8.2.2
8.0.0 to 8.0.16
7.0.0 to 7.0.26
6.0.0 to 6.0.26
5.0.0 to 5.0.31
4.4.0 to 4.4.29
All Server v4.2 versions
All Server v4.0 versions
All Server v3.6 versions

Threat details

Exploitation of CVE-2025-14847

The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-14847 to their Known Exploited Vulnerabilities (KEV) Catalog. A proof-of-concept exploit and technical details for CVE-2025-14847 are publicly available.

The NHS England National CSOC assesses further exploitation as highly likely.

Introduction

MongoDB has released security updates addressing a vulnerability widely being dubbed as 'MongoBleed'. A remote, unauthenticated attacker could exploit this vulnerability to extract secrets, credential, or other sensitive data. The vulnerability is under active exploitation.

CVE-2025-14847 - Improper Handling of Length Parameter Inconsistency vulnerability - CVSSv4 Score: 8.7

Remediation advice

Affected organisations are encouraged to review MongoDB Security Advisory SERVER-115508 and apply the relevant updates as soon as possible.

Definitive source of threat updates

https://jira.mongodb.org/browse/SERVER-115508

CVE Vulnerabilities

Status Published

CVE-2025-14847

Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.

Last edited: 30 December 2025 9:42 am