The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a MongoDB vulnerability to its Known Exploited Vulnerabilities Catalog, acknowledging the active exploitation of the vulnerability. CISA urges users to patch the vulnerability before January 19, 2026. Tracked as CVE-2025-14847, the vulnerability has a high severity rating with a CVSS score of 8.7. Successful exploitation of the vulnerability may allow a remote, unauthenticated attacker to disclose sensitive data from the MongoDB server memory. The vulnerability affects multiple supported and legacy MongoDB Server versions.
MongoDB is a popular, open-source, NoSQL (non-relational) document database that stores data in flexible, JSON-like documents (BSON) within collections. The tool offers a flexible schema that allows for evolving data structures, unlike traditional tables with rigid rows and columns.
Vulnerability Details
The vulnerability originates from a defect in MongoDB Server’s zlib-based network message decompression, which is processed before any authentication checks are performed. An unauthenticated attacker can send specially crafted compressed packets, causing the server to miscalculate decompressed message lengths and disclose uninitialized heap memory to the client. This enables remote leakage of sensitive in-memory data fragments without credentials or user involvement.
At the code level, the flaw originates from flawed length management in message_compressor_zlib.cpp, where the logic erroneously returns the full allocated buffer size (output.length()) instead of the actual decompressed data length. This exposes adjacent heap memory when handling undersized or malformed payloads.
Since it bypasses authentication and requires no user interaction, publicly accessible MongoDB servers face heightened risk. The flaw also impacts the Ubuntu rsync package due to its zlib dependency, though rsync-specific exploits remain undisclosed.
The Qualys Threat Research Unit successfully tested the exploitation in the lab environment.
Image Source: Quays Threat Research Unit (TRU)
Affected versions
- MongoDB 8.2.0 through 8.2.2
- MongoDB 8.0.0 through 8.0.16
- MongoDB 7.0.0 through 7.0.26
- MongoDB 6.0.0 through 6.0.26
- MongoDB 5.0.0 through 5.0.31
- MongoDB 4.4.0 through 4.4.29
- All MongoDB Server v4.2 versions
- All MongoDB Server v4.0 versions
- All MongoDB Server v3.6 versions
Mitigation
Users must upgrade to MongoDB versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30 to patch the vulnerability.
For more information, please refer to the MongoDB Security Advisory.
Workaround
The vendor recommends that users disable zlib compression on the MongoDB Server by starting mongod or mongos with the networkMessageCompressors or a net.compression.compressors option that explicitly omits zlib. Example safe values include snappy,zstd, or disabled.
Qualys Detection
Qualys customers can scan their devices with QIDs 386257, 20525, and 692172 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://jira.mongodb.org/browse/SERVER-115508
https://www.wiz.io/blog/mongobleed-cve-2025-14847-exploited-in-the-wild-mongodb