ID: I202512291459 Status: idea Tags: CVE, MongoDB, vulnerability

MongoBleed CVE-2025-14847

On Christmas there was a new vulnerability released called MongoBleed. Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client.

It is rated as a lever 8.7 or 7.5 depending on the version of MongoDB. Users that do not have their own database and instead use MongoDB Atlas are not affected because the reporter has already contacted the MongoDB team before making it public.

affected:

• affected from 8.2 before 8.2.3 
• affected from 8.0 before 8.0.17 
• affected from 7.0 before 7.0.28 
• affected from 6.0 before 6.0.27 
• affected from 5.0 before 5.0.32 
• affected from 4.4 before 4.4.30 
• affected at 4.2 
• affected at 4.0 
• affected at 3.6

The CVE is named MongoBleed because it works the same way as the Heartbleed CVE from 2014. You can read more about Hearbleed on www.heartbleed.com.

---

References

• CVE.org
• NCSC
• National vulnerability DB
• Aikido
• mongobleed detector github script.