MongoBleed: The Heartbleed of Databases (CVE-2025-14847)

Alon Barad

Software Engineer

Jan 1, 2026·5 min read·7 visits

Active ExploitationCISA KEV ListedRansomware Use

Executive Summary (TL;DR)

Dubbed 'MongoBleed', this vulnerability mimics the infamous Heartbleed bug. By sending a crafted compressed packet, an unauthenticated attacker can trick the server into treating uninitialized heap memory as valid data. When the parser inevitably chokes on the garbage data, it helpfully echoes it back in an error message, leaking sensitive secrets like admin credentials and session tokens.

A critical, unauthenticated heap memory disclosure vulnerability in MongoDB's wire protocol handling allows attackers to bleed secrets—including passwords and AWS keys—directly from server memory.

Attack Flow Diagram

Official Patches

MongoDBOfficial MongoDB Security Alert

Fix Analysis (1)

Technical Appendix

CVSS Score

8.7/ 10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

77.17%

Top 4% most exploited

45,000

Estimated exposed hosts via Shodan

Affected Systems

MongoDB Server 8.2.0 - 8.2.2MongoDB Server 8.0.0 - 8.0.16MongoDB Server 7.0.0 - 7.0.27MongoDB Server 6.0.0 - 6.0.26MongoDB Server 5.0.0 - 5.0.31MongoDB Server 4.4.0 - 4.4.29MongoDB Server 3.6, 4.0, 4.2 (All versions, EOL)

Affected Versions Detail

Product	Affected Versions	Fixed Version
MongoDB Server MongoDB Inc.	8.2.0 - 8.2.2	8.2.3
MongoDB Server MongoDB Inc.	8.0.0 - 8.0.16	8.0.17
MongoDB Server MongoDB Inc.	7.0.0 - 7.0.27	7.0.28
MongoDB Server MongoDB Inc.	6.0.0 - 6.0.26	6.0.27
MongoDB Server MongoDB Inc.	5.0.0 - 5.0.31	5.0.32
MongoDB Server MongoDB Inc.	4.4.0 - 4.4.29	4.4.30
MongoDB Server MongoDB Inc.	3.6, 4.0, 4.2	None (EOL)

Attribute	Detail
CWE ID	CWE-200 (Exposure of Sensitive Information)
CVSS v4.0	8.7 (High)
Attack Vector	Network (Unauthenticated)
EPSS Score	77.17%
Exploit Status	Active / Weaponized
Component	message_compressor_zlib.cpp
Protocol	OP_COMPRESSED (2012)