Affected Akamai Hunt customers have already received a detailed mapping of vulnerable assets with actionable mitigation steps.
Executive summary
On December 19, 2025, a new vulnerability affecting the majority of MongoDB deployments was publicly reported in MongoDB instances.
The vulnerability, called MongoBleed, resides in MongoDB’s handling of zlib-compressed messages and allows unauthenticated clients to leak uninitialized heap memory from the database.
The CVE has been assigned a CVSSv4 score of 8.7.
On December 29, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-14847 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation. In parallel, Akamai telemetry shows MongoDB communication in approximately 62% of enterprise networks.
In this blog post, we provide a technical breakdown of MongoBleed, an overview of affected MongoDB versions (along with patch analysis), and practical mitigation guidance, including Akamai Guardicore Segmentation Insight queries to help identify vulnerable assets.
Vulnerability details
MongoBleed originates from how MongoDB processes compressed wire-protocol messages, a feature that is enabled by default.
MongoDB communicates using messages flagged with the OP_MSG opcode, where request payloads are encoded in binary JSON (BSON) format. When a compressed message is sent, the original OP_MSG payload is wrapped inside an OP_COMPRESSED struct.
An OP_COMPRESSED message includes the OP_MSG payload and the expected size of the uncompressed payload.
struct OP_COMPRESSED {
struct MsgHeader {
int32 messageLength;
int32 requestID;
int32 responseTo;
int32 opCode;
};
int32_t originalOpcode;
int32_t uncompressedSize;
uint8_t compressorId;
char *compressedMessage;
};An attacker can manipulate the uncompressedSize field, making it larger than the actual size of the compressed payload. Because this value is not validated, this manipulation results in an oversized buffer allocation, populated with uninitialized heap memory.
That leaked memory may include fragments of cleartext passwords, credentials, API keys, or other sensitive in-memory data, depending on what previously occupied the heap.
The leak is further amplified by MongoDB’s error-handling logic. When the sent malformed BSON object does not contain a null terminator, the server will parse the memory until one is encountered. When parsing ultimately fails, the server returns an error response that includes the original message and the leaked heap contents.
As of the time of writing, Shodan reports more than 213,000 internet-exposed MongoDB instances, while Censys reports more than 87,000, highlighting the wide exposure of the vulnerability.
Public exploit availability
Within days of disclosure, a working exploit was published on GitHub. The exploit relies on sending repeated malformed compressed requests, allowing attackers to leak large portions of heap memory progressively.
Affected versions
MongoBleed affects the following MongoDB versions:
8.2.0–8.2.2
8.0.0–8.0.16
7.0.0–7.0.27
6.0.0–6.0.26
5.0.0–5.0.31
4.4.0–4.4.29
All v3.6, v4.0, and v4.2 versions
Patch analysis
The one-line patch calculates the size of the message deriving from the output size, instead of simply trusting the value provided in the OP_COMPRESSED BSON. This ensures that no additional memory is allocated beyond the actual message size.
- return {output.length()};
+ return length;Mitigation
Upgrade to a patched version
A patch was introduced in versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30.
Upgrading to one of these versions fully remediates the vulnerability.
Reduce exposure with network segmentation
Until a patch is applied, exposure can be significantly reduced using segmentation by:
Blocking inbound internet access to MongoDB instances on port TCP/27017
Allowing connections from explicitly trusted sources only
Identify vulnerable hosts with Akamai Guardicore Segmentation
The following Akamai Guardicore Segmentation Insight queries identify hosts that are running vulnerable MongoDB instances.
Linux assets
WITH LINUX AS (
SELECT DISTINCT name, version, source
FROM deb_packages
WHERE name = 'mongodb-org-server'
UNION ALL
SELECT DISTINCT name, version, source
FROM rpm_packages
WHERE name = 'mongodb-org-server'
),
PARSED AS (
SELECT name, source, version,
CAST(REGEX_MATCH(version, '([0-9]+)\.([0-9]+)\.([0-9]+)', 1) AS INTEGER) AS major,
CAST(REGEX_MATCH(version, '([0-9]+)\.([0-9]+)\.([0-9]+)', 2) AS INTEGER) AS minor,
CAST(REGEX_MATCH(version, '([0-9]+)\.([0-9]+)\.([0-9]+)', 3) AS INTEGER) AS patch
FROM LINUX
)
SELECT name, source, version
FROM PARSED
WHERE
(major = 8 AND minor = 2 AND patch BETWEEN 0 AND 2)
OR
(major = 8 AND minor = 0 AND patch BETWEEN 0 AND 16)
OR
(major = 7 AND minor = 0 AND patch BETWEEN 0 AND 27)
OR
(major = 6 AND minor = 0 AND patch BETWEEN 0 AND 26)
OR
(major = 5 AND minor = 0 AND patch BETWEEN 0 AND 31)
OR
(major = 4 AND minor = 4 AND patch BETWEEN 0 AND 29)
OR
(major = 3 AND minor = 6)
OR
(major = 4 AND minor IN (0, 2))Windows assets
WITH WINDOWS AS (
WITH MONGO_PROGRAMS AS (
SELECT DISTINCT name, version, install_source AS source, REGEX_MATCH(name, 'MongoDB [0-9].*', 0) AS mongo_match
FROM programs
WHERE name LIKE "MongoDB%"
)
SELECT DISTINCT name, version, source
FROM MONGO_PROGRAMS
WHERE LENGTH(mongo_match) > 0
),
PARSED AS (
SELECT name, source, version,
CAST(REGEX_MATCH(version, '([0-9]+)\.([0-9]+)\.([0-9]+)', 1) AS INTEGER) AS major,
CAST(REGEX_MATCH(version, '([0-9]+)\.([0-9]+)\.([0-9]+)', 2) AS INTEGER) AS minor,
CAST(REGEX_MATCH(version, '([0-9]+)\.([0-9]+)\.([0-9]+)', 3) AS INTEGER) AS patch
FROM WINDOWS
)
SELECT name, source, version
FROM PARSED
WHERE
(major = 8 AND minor = 2 AND patch BETWEEN 0 AND 2)
OR
(major = 8 AND minor = 0 AND patch BETWEEN 0 AND 16)
OR
(major = 7 AND minor = 0 AND patch BETWEEN 0 AND 27)
OR
(major = 6 AND minor = 0 AND patch BETWEEN 0 AND 26)
OR
(major = 5 AND minor = 0 AND patch BETWEEN 0 AND 31)
OR
(major = 4 AND minor = 4 AND patch BETWEEN 0 AND 29)
OR
(major = 3 AND minor = 6)
OR
(major = 4 AND minor IN (0, 2))Disable compressed requests (temporary mitigation)
If upgrading or segmenting the instance is not possible, zlib-compressed requests can be disabled to prevent exploitation. Detailed instructions can be found in the official MongoDB Issue Tracker.
Summary
MongoBleed (CVE-2025-14847) is a remotely exploitable MongoDB vulnerability that allows unauthenticated attackers to leak uninitialized heap memory.
With public exploits available and tens of thousands of internet-exposed instances, the risk of sensitive data leaks is immediate. Organizations running affected versions should upgrade to a patched release or apply network segmentation rules to minimize exposure.
Stay tuned
The Akamai Security Intelligence Group will continue to monitor, report on, and create mitigations for threats such as these for both our customers and the security community at large. To keep up with more breaking news from the Akamai Security Intelligence Group, check out our research home page and follow us on social media.
Tags
