Executive Summary

    On December 19th, software company MongoDB published an advisory regarding a critical vulnerability (tracked as CVE-2025-14847) in their popular database engine of the same name. The vulnerability is an information disclosure issue that allows a successful unauthenticated attacker to leak portions of host memory on a victim machine, potentially disclosing sensitive data such as authentication material. The vulnerability impacts all modern versions of MongoDB released in the last 5 years. On December 24th, security firm Ox Security published enough technical details to create a weaponized exploit, and on December 25th, a technical lead from Elastic published proof-of-concept exploit code to github.

    This vulnerability is similar to previous high profile information leak bugs in the past such as “Heartbleed” and “Citrixbleed” in that it is trivially easy continuously exploit the vulnerability, which is necessary in order to make operational use of the exploit in order to gather as much sensitive information from the system’s un-initialized memory. MongoDB released patches on the same day as their advisory, and given the availability of working PoC code, Beazley Security labs believes that mass exploitation of this vulnerability against exposed MongoDB instances will occur. As such, Beazley Security strongly recommends that affected organizations apply patches immediately.

    Affected Systems or Products

    Product

    Affected Versions

    Fixed Version

    MongoDB 8.2.0

    through 8.2.3

    8.2.3

    MongoDB 8.0.0

    through 8.0.16

    8.0.17

    MongoDB 7.0.0

    through 7.0.26

    7.0.28

    MongoDB 6.0.0

    through 6.0.26

    6.0.27

    MongoDB 5.0.0

    through 5.0.31

    5.0.32

    MongoDB 4.4.0

    through 4.4.29

    4.4.30

    MongoDB Server v4.2

    All

    None

    MongoDB Server v4.0

    All

    None

    MongoDB Server v3.6

    All

    None

    Mitigations / Workarounds

    According to the official MongoDB advisory, if upgrades cannot be immediately applied, affected users can disable the vulnerable zlib component by following the guidance below:

    starting mongod or mongos with a networkMessageCompressors or a net.compression.compressors option that explicitly omits zlib.

    Example safe values include snappy, zstd or disabled.

    Patches

    Patches were made available by MongoDB at the time of the official public advisory. See the Affected Systems and Products section for the appropriate version to upgrade your systems to.

    Technical Details

    The core issue is that when processing certain types of incoming remote messages, MongoDB server code would trust and use an externally (attacker) supplied “uncompressedSize” parameter. Affected systems, if given an “uncompressedSize” that was larger than necessary, would allocate too much memory for return messages and mistakenly send back responses that included unrelated portions of system memory. Successful exploitation of this vulnerability enables attackers to potentially leak confidential contents of system memory. If done enough times, a threat actor could eventually see sensitive data like authentication material.

    How Beazley Security is responding

    Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.

    If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.

    Sources