CVE-2025-14847
Zlib compressed protocol header length confusion may allow memory read
In short
MongoDB servers using Zlib compression have a flaw where mismatched header length fields allow unauthenticated attackers to read uninitialized memory from the server. This could expose sensitive data without requiring authentication.
Technical detail
The vulnerability exists in Zlib compressed protocol header parsing where length field inconsistencies enable unauthenticated remote clients to trigger heap memory reads. An attacker can craft malformed compressed protocol messages to leak uninitialized heap memory contents, potentially exposing sensitive data; no authentication is required to trigger this condition.
Summary generated and translated by AI from the official description.
Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Affected products
MongoDB Inc. · MongoDB Serverpublic PoCs found — 41
githubgithub.com/Black1hp/mongobleed-scanner★ 36githubgithub.com/cybertechajju/CVE-2025-14847_Expolit★ 31githubgithub.com/ProbiusOfficial/CVE-2025-14847★ 25githubgithub.com/onewinner/CVE-2025-14847★ 14githubgithub.com/Security-Phoenix-demo/mongobleed-exploit-CVE-2025-14847★ 13githubgithub.com/chinaxploiter/CVE-2025-14847-PoC★ 4githubgithub.com/joshuavanderpoll/CVE-2025-14847★ 3githubgithub.com/franksec42/mongobleed-exploit-CVE-2025-14847★ 3githubgithub.com/peakcyber-security/CVE-2025-14847★ 2githubgithub.com/nma-io/mongobleed★ 2githubgithub.com/alexcyberx/CVE-2025-14847_Expolit★ 2githubgithub.com/lincemorado97/CVE-2025-14847★ 1githubgithub.com/sakthivel10q/CVE-2025-14847★ 1githubgithub.com/FurkanKAYAPINAR/CVE-2025-14847-MongoBleed-Exploit★ 1githubgithub.com/NoNameError/MongoBLEED---CVE-2025-14847-POC-★ 1githubgithub.com/waheeb71/CVE-2025-14847★ 1githubgithub.com/CadGoose/MongoBleed-CVE-2025-14847-Fully-Automated-scanner★ 1githubgithub.com/AdolfBharath/mongobleed★ 1githubgithub.com/InfoSecAntara/CVE-2025-14847-MongoDB★ 1githubgithub.com/dawnsmithcyber/azure-vulnerability-remediation-project★ 1githubgithub.com/amnnrth/CVE-2025-14847★ 0githubgithub.com/Rishi-kaul/CVE-2025-14847-MongoBleed★ 0githubgithub.com/Systemhaus-Schulz/MongoBleed-CVE-2025-14847★ 0githubgithub.com/ElJoamy/MongoBleed-exploit★ 0githubgithub.com/keraattin/Mongobleed-Detector-CVE-2025-14847★ 0githubgithub.com/shokribardiya/CVE-2025-14847-mongobleed★ 0githubgithub.com/sho-luv/MongoBleed★ 0githubgithub.com/im-hanzou/mongobleed★ 0githubgithub.com/0xBlackash/CVE-2025-14847★ 0githubgithub.com/sahar042/CVE-2025-14847★ 0githubgithub.com/saereya/CVE-2025-14847---MongoBleed★ 0githubgithub.com/KingHacker353/CVE-2025-14847_Expolit★ 0githubgithub.com/pedrocruz2202/mongobleed-scanner★ 0githubgithub.com/pedrocruz2202/pedrocruz2202.github.io★ 0githubgithub.com/14mb1v45h/CYBERDUDEBIVASH-MONGODB-DETECTOR-v2026★ 0githubgithub.com/kuyrathdaro/cve-2025-14847★ 0githubgithub.com/JemHadar/MongoBleed-DFIR-Triage-Script-CVE-2025-14847★ 0githubgithub.com/tunahantekeoglu/MongoDeepDive★ 0githubgithub.com/vfa-tuannt/CVE-2025-14847★ 0githubgithub.com/j0lt-github/mongobleedburp★ 0githubgithub.com/sakthivel10q/sakthivel10q.github.io★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://jira.mongodb.org/browse/SERVER-115508https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-14847https://www.smartkeyss.com/post/mongobleed-pre-auth-memory-disclosure-via-op_compressed-in-mongodb-cve-2025-14847https://www.vicarius.io/vsociety/posts/cve-2025-14847-detection-script-heap-memory-exposure-in-mongodb-serverhttps://www.vicarius.io/vsociety/posts/cve-2025-14847-mitigation-script-heap-memory-exposure-in-mongodb-serverhttp://www.openwall.com/lists/oss-security/2025/12/29/21