CVE-2025-14847
MongoDB and MongoDB Server Improper Handling of Length Parameter Inconsistency Vulnerability - [Actively Exploited]
Description
Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.
INFO
Published Date :
Dec. 19, 2025, 11:15 a.m.
Last Modified :
Dec. 31, 2025, 5:32 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
MongoDB Server contains an improper handling of length parameter inconsistency vulnerability in Zlib compressed protocol headers. This vulnerability may allow a read of uninitialized heap memory by an unauthenticated client.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https://jira.mongodb.org/browse/SERVER-115508 ; https://nvd.nist.gov/vuln/detail/CVE-2025-14847
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | a39b4221-9bd0-4244-95fc-f3e2e07f1deb | ||||
| CVSS 3.1 | HIGH | [email protected] | ||||
| CVSS 4.0 | HIGH | a39b4221-9bd0-4244-95fc-f3e2e07f1deb | ||||
| CVSS 4.0 | HIGH | [email protected] |
Solution
- Update MongoDB Server to a patched version.
- Apply vendor-provided security updates.
- Ensure all affected server versions are updated.
Public PoC/Exploit Available at Github
CVE-2025-14847 has a 65 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-14847.
| URL | Resource |
|---|---|
| https://jira.mongodb.org/browse/SERVER-115508 | Issue Tracking Patch Vendor Advisory |
| http://www.openwall.com/lists/oss-security/2025/12/29/21 | Mailing List |
| https://www.vicarius.io/vsociety/posts/cve-2025-14847-detection-script-heap-memory-exposure-in-mongodb-server | Exploit Third Party Advisory |
| https://www.vicarius.io/vsociety/posts/cve-2025-14847-mitigation-script-heap-memory-exposure-in-mongodb-server | Exploit Third Party Advisory |
| https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-14847 | Third Party Advisory US Government Resource |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-14847 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-14847
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
A Telegram bot that monitors trending CVEs from https://cvemon.intruder.io and posts them to your channel every 5 minutes.
Dockerfile Python
Full automation check for CVE-2025-14847 MonogBleed- Finds origin IP and tests for exploit.
Python
CVE-2025-14847 MongoDB Memory Leak Exploit
Python
Mongobleed Detector CVE-2025-14847
Python
None
JavaScript Python
Academic proof-of-concept demonstrating CVE-2026-21445 [LangFlow] for authorized security research.
codeb0ss langflow cve-2026-21445 cve-2026-21445-poc
Python
MongoBleed (CVE-2025-14847) Lab & PoC : A complete educational environment to reproduce the critical unauthenticated memory leak in MongoDB. Includes a vulnerable Docker container with multi-database seeding (PII, API keys) and a Python exploit to demonstrate data extraction. Ideal for security research and awareness. 1-day analysis.
Python JavaScript
CVE-2025-14847 PoC exploit for MongoDB heap memory disclosure
ruby mongodb penetration-testing exploit
Ruby Makefile
MongoBleed CVE-2025-14847 Vulnerability Checker
Python
None
This repo contains my python script version of CVE-2025-14847 (MongoBleed)
Python
Academic proof-of-concept demonstrating CVE-2025-68645 for authorized security research.
zimbra cve-2025-68645 cve-2025-68645-poc cve-2025-68645-zimbra
Python
None
Go
None
JavaScript Rust
CVE-2025-14847 MongoBleed - MongoDB Memory Leak Vulnerability PoC
Python JavaScript Shell
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-14847 vulnerability anywhere in the article.
-
The Hacker News
Cisco Patches ISE Security Vulnerability After Public PoC Exploit Release
Jan 08, 2026Ravie LakshmananNetwork Security / Vulnerability Cisco has released updates to address a medium-severity security flaw in Identity Services Engine (ISE) and ISE Passive Identity Connecto ... Read more
-
The Hacker News
Coolify Discloses 11 Critical Flaws Enabling Full Server Compromise on Self-Hosted Instances
Jan 08, 2026Ravie LakshmananVulnerability / Container Security Cybersecurity researchers have disclosed details of multiple critical-severity security flaws affecting Coolify, an open-source, self-h ... Read more
-
The Hacker News
CISA Flags Microsoft Office and HPE OneView Bugs as Actively Exploited
Jan 08, 2026Ravie LakshmananVulnerability / KEV Catalog The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added two security flaws impacting Microsoft Office and Hewlett ... Read more
-
The Hacker News
Ongoing Attacks Exploiting Critical RCE Vulnerability in Legacy D-Link DSL Routers
Jan 07, 2026Ravie LakshmananNetwork Security / Vulnerability A newly discovered critical security flaw in legacy D-Link DSL gateway routers has come under active exploitation in the wild. The vulner ... Read more
-
The Cyber Express
What Is a Proxy Server? A Complete Guide to Types, Uses, and Benefits
The term proxy server is very popular these days, especially when discussions are around internet security, internet privacy, and network management. But what exactly is a proxy server? What purpose d ... Read more
-
The Cyber Express
Critical n8n Vulnerability Allows Arbitrary Command Execution (CVE-2025-68668)
A newly disclosed n8n vulnerability has been confirmed to allow authenticated users to execute arbitrary system commands on affected servers. The issue, tracked as CVE-2025-68668, has been assigned a ... Read more
-
The Hacker News
New n8n Vulnerability (9.9 CVSS) Lets Authenticated Users Execute System Commands
Jan 06, 2026Ravie LakshmananVulnerability / DevOps A new critical security vulnerability has been disclosed in n8n, an open-source workflow automation platform, that could enable an authenticated at ... Read more
-
The Hacker News
Critical AdonisJS Bodyparser Flaw (CVSS 9.2) Enables Arbitrary File Write on Servers
Jan 06, 2026Ravie LakshmananVulnerability / Web Security Users of the "@adonisjs/bodyparser" npm package are being advised to update to the latest version following the disclosure of a critical secu ... Read more
-
The Cyber Express
CISA Known Exploited Vulnerabilities Soared 20% in 2025
After stabilizing in 2024, the growth of known exploited vulnerabilities accelerated in 2025. That was one conclusion from Cyble’s analysis of CISA’s Known Exploited Vulnerability (KEV) catalog data f ... Read more
-
The Cyber Express
Critical IBM API Connect Vulnerability Enables Authentication Bypass
IBM has released security updates to address a critical IBM API Connect vulnerability that could allow remote attackers to bypass authentication controls and gain unauthorized access to affected appli ... Read more
-
The Cyber Express
A Week That Set the Tone for 2026: Cyber Laws, Breaches, and Disinformation
This week, The Cyber Express takes a closer look at the events shaping the global cybersecurity landscape as we transition from 2025 to 2026. Throughout this week, we covered new cybersecurity laws, i ... Read more
-
CybersecurityNews
Lessons From Mongobleed Vulnerability (CVE-2025-14847) That Actively Exploited In The Wild
The cybersecurity community was alarmed in late December 2025 when MongoDB announced a serious vulnerability called “Mongobleed” (CVE-2025-14847). This high-severity flaw allows unauthenticated attack ... Read more
-
The Hacker News
ThreatsDay Bulletin: GhostAd Drain, macOS Attacks, Proxy Botnets, Cloud Exploits, and 12+ Stories
The first ThreatsDay Bulletin of 2026 lands on a day that already feels symbolic — new year, new breaches, new tricks. If the past twelve months taught defenders anything, it's that threat actors don' ... Read more
-
CybersecurityNews
Top 10 High-Risk Vulnerabilities Of 2025 that Exploited in the Wild
The cybersecurity landscape in 2025 has been marked by an unprecedented surge in critical vulnerabilities, with over 21,500 CVEs disclosed in the first half of the year alone, representing a 16-18% in ... Read more
-
The Hacker News
RondoDox Botnet Exploits Critical React2Shell Flaw to Hijack IoT Devices and Web Servers
Jan 01, 2025Ravie LakshmananNetwork Security / Vulnerability Cybersecurity researchers have disclosed details of a persistent nine-month-long campaign that has targeted Internet of Things (IoT) devi ... Read more
-
The Cyber Express
Singapore CSA Warns of Critical SmarterMail Flaw Enabling Unauthenticated Remote Code Execution
The Cyber Security Agency of Singapore (CSA) has issued a high-priority alert warning organizations and system administrators about a critical security vulnerability affecting SmarterMail, an enterpri ... Read more
-
BleepingComputer
CISA orders feds to patch MongoBleed flaw exploited in attacks
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered government agencies to secure their systems against a high-severity MongoDB flaw that is actively being exploited in attacks. D ... Read more
-
DataBreaches.Net
US, Australia say ‘MongoBleed’ bug being exploited
Jonathan Greig reports: U.S. and Australian cyber agencies confirmed that hackers are exploiting a vulnerability that emerged over the Christmas holiday and is impacting data storage systems from the ... Read more
-
CybersecurityNews
Critical Vulnerability in SmarterMail Let Attackers Execute Remote Code
SmarterTools has issued an urgent security advisory addressing a critical vulnerability in SmarterMail that could allow attackers to execute remote code on mail servers. The flaw, tracked as CVE-2025- ... Read more
-
CybersecurityNews
CISA Warns of MongoDB Server Vulnerability(CVE-2025-14847) Exploited in Attacks
CISA has added a critical MongoDB Server vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, warning that the flaw is being actively exploited in cyberattacks. CVE-2025-14847 affects M ... Read more
The following table lists the changes that have been made to the
CVE-2025-14847 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Dec. 31, 2025
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:* versions from (including) 3.6.0 up to (excluding) 4.4.30 *cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:* versions from (including) 5.0.0 up to (excluding) 5.0.32 *cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:* versions from (including) 6.0.0 up to (excluding) 6.0.27 *cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:* versions from (including) 7.0.0 up to (excluding) 7.0.28 *cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:* versions from (including) 8.0.0 up to (excluding) 8.0.17 *cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:* versions from (including) 8.2.0 up to (excluding) 8.2.3 Added Reference Type CVE: http://www.openwall.com/lists/oss-security/2025/12/29/21 Types: Mailing List Added Reference Type MongoDB, Inc.: https://jira.mongodb.org/browse/SERVER-115508 Types: Issue Tracking, Patch, Vendor Advisory Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-14847 Types: Third Party Advisory, US Government Resource Added Reference Type CVE: https://www.vicarius.io/vsociety/posts/cve-2025-14847-detection-script-heap-memory-exposure-in-mongodb-server Types: Exploit, Third Party Advisory Added Reference Type CVE: https://www.vicarius.io/vsociety/posts/cve-2025-14847-mitigation-script-heap-memory-exposure-in-mongodb-server Types: Exploit, Third Party Advisory -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Dec. 31, 2025
Action Type Old Value New Value Added Reference https://www.vicarius.io/vsociety/posts/cve-2025-14847-detection-script-heap-memory-exposure-in-mongodb-server Added Reference https://www.vicarius.io/vsociety/posts/cve-2025-14847-mitigation-script-heap-memory-exposure-in-mongodb-server -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Dec. 30, 2025
Action Type Old Value New Value Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-14847 -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Dec. 29, 2025
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2025/12/29/21 -
New CVE Received by [email protected]
Dec. 19, 2025
Action Type Old Value New Value Added Description Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0. Added CVSS V4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Added CWE CWE-130 Added Reference https://jira.mongodb.org/browse/SERVER-115508