MongoBleed CVE-2025-14847 exploited in the wild

Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.

Exploitation of this MongoDB vulnerability have been reported and exploit code has been publicly released. Immediate patching is recommended.

This critical severity RCE affecting MongoDB should be patched as soon as possible. Currently no known exploitation has been reported.

The version of MongoDB installed on the remote host is 3.6.x, 4.0.x, 4.2.x, 4.4.x prior to 4.4.30, 5.0.x prior to 5.0.32, 6.0.x prior to 6.0.27, 7.0.x prior to 7.0.28, 8.0.x prior to 8.0.17, or 8.2.x prior to 8.2.3. It is, therefore, affected by a uninitialized heap memeory leak vulnerability:

  - Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an     unauthenticated client. (CVE-2025-14847)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory     by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB     Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0     versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior     to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions     greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.
    (CVE-2025-14847)

Note that Nessus relies on the presence of the package as reported by the vendor.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the c1613867-df16-11f0-8870-b42e991fc52e advisory.

    https://jira.mongodb.org/browse/SERVER-115508 reports:
    Mismatched length fields in Zlib compressed protocol             headers may allow a read of uninitialized heap memory by an             unauthenticated client.

Tenable has extracted the preceding description block directly from the FreeBSD security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
280124	MongoDB 3.6.x / 4.0.x / 4.2.x / 4.4.x < 4.4.30 / 5.0.x < 5.0.32 / 6.0.x < 6.0.27 / 7.0.x < 7.0.28 / 8.0.x < 8.0.17 / 8.2.x < 8.2.3 Uninitialized Heap Memory Leak (CVE-2025-14847)	Nessus	Misc.	high
279586	Linux Distros Unpatched Vulnerability : CVE-2025-14847	Nessus	Misc.	high
279580	FreeBSD : MongoDB -- Improper Handling of Length Parameter Inconsistency (c1613867-df16-11f0-8870-b42e991fc52e)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2025-14847

high

Tenable Plugins

high

high

high