MongoDB Unauthenticated Attacker Sensitive Memory Leak CVE-2025-14847

https://www.mongodb.com/community/forums/t/important-mongodb-patch-available/332977

https://github.com/mongodb/mongo/commit/505b660a14698bd2b5233bd94da3917b585c5728

https://www.ox.security/blog/attackers-could-exploit-zlib-to-exfiltrate-data-cve-2025-14847/

https://github.com/joe-desimone/mongobleed/

Title: SANS Stormcast Sunday, December 28 2025: MongoDB Unauthenticated Memory Leak CVE‑2025‑14847

Handler on Duty: Didier Stevens

Publication Date: Sunday, December 28 2025

---

Summary

MongoDB patched a sensitive memory‑leak vulnerability (CVE‑2025‑14847) over the Christmas holiday that is now actively being exploited.

• Patch announcement: https://www.mongodb.com/community/forums/t/important-mongodb-patch-available/332977

• Commit fixing the issue: https://github.com/mongodb/mongo/commit/505b660a14698bd2b5233bd94da3917b585c5728

• Technical analysis: https://www.ox.security/blog/attackers-could-exploit-zlib-to-exfiltrate-data-cve-2025-14847/

• Proof‑of‑concept exploit: https://github.com/joe-desimone/mongobleed/

---

Podcast Transcript

Hello and welcome to the Sunday, December 28, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and today I'm recording from Jacksonville, Florida. This episode is brought to you by the SANS.edu Undergraduate Certificate Program in Cybersecurity Fundamentals.



We have a special Christmas present that required a special podcast. On the 24th a patch was released for MongoDB – a Christmas‑gift patch. That patch also fixed a critical vulnerability in MongoDB, a memory‑leak (actually a memory‑disclosure) issue, similar in impact to Heartbleed.



MongoDB accepts BSON‑formatted data (binary JSON). BSON allows compression, which means the length of data can change during decompression and must be tracked. Historically this has caused many buffer overflows. This bug is different: the buffer size reported back is the size of the *entire* allocated memory, not just the portion actually used. If a BSON file lies about its content length, the extra memory is filled with whatever happens to be in the MongoDB process’s address space – potentially secrets such as keys.



A patch has been released, and a test case (proof‑of‑concept exploit) was published alongside it. The exploit is simple: adjust a length field in the BSON data you send to MongoDB. Exploitation is already underway. If you expose MongoDB to the Internet, assume someone is already trying to exploit your instance.



**Recommendations**  

1. **Do not expose MongoDB to the Internet.**  

   - Many people expose NoSQL databases unnecessarily.  

   - MongoDB can execute JavaScript, which tempts some to expose it.  



2. **Check for MongoDB in other products.**  

   - For example, Unify controllers and many other systems embed MongoDB. Even if you don’t run MongoDB directly, it may be present in your network.  



3. **Assess exposure.**  

   - If MongoDB is only reachable on the local network or loopback, the risk is lower.  



4. **Patch all versions.**  

   - All versions back to at least 3.6 are vulnerable if not patched within the last week.  



If you suspect you have been attacked, note that this vulnerability does **not** allow arbitrary code execution – it is about stealing credentials. Rotate credentials immediately on any exposed, unpatched MongoDB instance and audit what data may have been leaked. Credential theft could later enable command execution.



That’s all for today. Thanks for listening. I hope you don’t start the new year with an incident caused by this MongoDB issue. Stay safe.

---

End of article.