An early end to the holidays: ‘Heartbleed of MongoDB’ is now under active exploit
Summary
A high-severity vulnerability in MongoDB Server (CVE-2025-14847, CVSS 8.7) related to zlib-compressed protocol headers is now being actively exploited. Proofs of concept emerged over Christmas and researchers dubbed the issue “MongoBleed” — likening it to Heartbleed due to its potential to leak memory contents. An unauthenticated remote attacker can craft malformed packets to read uninitialised heap memory, potentially exposing user data, credentials, API keys and other secrets.
The flaw was identified on 15 December and patched by MongoDB shortly afterwards; a public proof of concept was published on 26 December. The US CISA has added the vulnerability to its known exploited vulnerabilities catalogue. MongoDB urges immediate upgrade to fixed releases or, if an immediate upgrade is impossible, disabling zlib compression on the server as a mitigation.
Key Points
- CVE-2025-14847 affects MongoDB Server’s handling of zlib-compressed network messages and can leak uninitialised heap memory.
- The vulnerability has a CVSS score of 8.7 and proofs of concept appeared during the Christmas period (public PoC on 26 December).
- CISA has listed the flaw as a known exploited vulnerability — attacks are happening in the wild.
- Attackers may need to send many requests to harvest useful data, but persistent access over time can yield sensitive information (passwords, API keys, user data).
- Mitigation: upgrade to MongoDB fixed releases immediately; if you cannot, disable zlib compression on affected servers and isolate any internet-exposed instances.
Why should I read this
Short version: if you run MongoDB, this is urgent. It’s actively being used to steal data and proofs of concept are public — so it’s not theoretical. Patch now or at least switch off zlib compression. We’ve sat through the doomscroll so you don’t have to: this one can leak secrets quietly, and that makes it really nasty.
Context and Relevance
This is a classic example of a decompression/length-mismatch memory-leak vector resurfacing in modern systems — think Heartbleed for NoSQL. Exposed databases are prime targets for opportunistic attackers and for lateral movement once inside a network. For security teams, DBAs and incident responders this elevates typical holiday-week risk: public PoCs plus active exploitation equals high priority patching and forensic triage.
The incident also highlights a broader trend: protocol and compression-layer bugs continue to be high-impact attack surfaces. Organisations with internet-facing or poorly segmented MongoDB instances are particularly at risk; private servers reachable via lateral access are also vulnerable.
Author’s note
Punchy: Treat this like an incident — if you’re responsible for any MongoDB workload, push the patch, disable zlib if you can’t, and hunt for signs of data exfiltration. This isn’t one to file away under “later”.