⚠ Actively exploited
Added to CISA KEV on 2025-12-29. Federal agencies required to patch by 2026-01-19. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..

CVE-2025-14847Improper Handling of Length Parameter Inconsistency in INC Mongodb Server

CWE-130Improper Handling of Length Parameter Inconsistency20 documents14 sources
Severity
8.7HIGHNVD
EPSS
77.5%
top 1.01%
CISA KEV
KEV
Added 2025-12-29
Due 2026-01-19
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Mongodb INC Mongodb ServerMongodb
Timeline
PublishedDec 19
KEV addedDec 29
KEV dueJan 19
Latest updateApr 9
CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, Mong

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

CVEListV5mongodb_inc/mongodb_server8.28.2.3+8
NVDmongodb/mongodb3.6.04.4.30+5

Patches

Patch: jira.mongodb.org

🔴Vulnerability Details

4
CVEList
Zlib compressed protocol header length confusion may allow memory read2025-12-19
GHSA
GHSA-4742-mr57-2r9j: Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client2025-12-19
OSV
CVE-2025-14847: Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client2025-12-19
VulnCheck
MongoDB and MongoDB Server Improper Handling of Length Parameter Inconsistency Vulnerability2025

💥Exploits & PoCs

2
Nuclei
MongoDB Server - Information Disclosure (MongoBleed)
Metasploit
MongoDB Memory Disclosure (CVE-2025-14847) - Mongobleed

🔍Detection Rules

1
Suricata
ET EXPLOIT MongoDB Unauthenticated Memory Leak (CVE-2025-14847)2025-12-29

📋Vendor Advisories

2
Ubuntu
MongoDB vulnerability2026-04-09
CISA
MongoDB and MongoDB Server Improper Handling of Length Parameter Inconsistency Vulnerability2025-12-29

🕵️Threat Intelligence

9
Unit42
Threat Brief: MongoDB Vulnerability (CVE-2025-14847)2026-01-13
Unit42
Threat Brief: MongoDB Vulnerability (CVE-2025-14847)2026-01-13
Bleepingcomputer
CISA orders feds to patch MongoBleed flaw exploited in attacks2025-12-30
Bleepingcomputer
Exploited MongoBleed flaw leaks MongoDB secrets, 87K servers exposed2025-12-28
Wiz
MongoBleed: Critical MongoDB Vulnerability CVE-2025-14847 | Wiz Blog2025-12-28
CVE-2025-14847 — INC Mongodb Server vulnerability | cvebase