Answer Brief
Taiwan’s TWCERT/CC warns that a high-risk MongoDB Server vulnerability, CVE-2025-14847 (CVSS v4: 8.7), is under active exploitation and can leak sensitive data from server memory. The issue—dubbed “MongoBleed” by researchers—stems from incorrect handling of the reported length of zlib-decompressed messages, which can cause uninitialized heap memory residues to be included in responses. TWCERT/CC notes that more than 87,000 internet-exposed MongoDB servers could be at risk, and that CISA added the CVE to its Known Exploited Vulnerabilities (KEV) catalog on 2025-12-29, signaling elevated urgency for enterprises and government agencies.
Executive Summary: Taiwan’s TWCERT/CC warns that a high-risk MongoDB Server vulnerability, CVE-2025-14847 (CVSS v4: 8.7), is under active exploitation and can leak sensitive data from server memory. The issue—dubbed “MongoBleed” by researchers—stems from incorrect handling of the reported length of zlib-decompressed messages, which can cause uninitialized heap memory residues to be included in responses. TWCERT/CC notes that more than 87,000 internet-exposed MongoDB servers could be at risk, and that CISA added the CVE to its Known Exploited Vulnerabilities (KEV) catalog on 2025-12-29, signaling elevated urgency for enterprises and government agencies.
Why It Matters
TWCERT/CC’s advisory frames CVE-2025-14847 as a practical, internet-scale exposure problem rather than a theoretical bug: the vulnerability is described as actively exploited and paired with an estimate of 87,000+ publicly reachable servers. For global cloud and platform teams, this matters because MongoDB frequently sits in the direct path of application authentication, API authorization, and service-to-service credentials; a memory disclosure that can reveal passwords, access keys, certificates, or tokens creates a fast route to lateral movement and persistent access even if the initial bug is later patched.
Technically, the advisory highlights a classic risk pattern for infrastructure services: compression and message parsing. In this case, MongoDB Server’s handling of zlib-compressed messages reportedly mis-processes the “decompressed data length,” treating the allocated buffer size as the valid data length instead of the actual decompressed length. The result is that responses may contain remnants of uninitialized heap memory. TWCERT/CC notes attackers can repeat specially crafted requests to harvest different memory fragments over time and potentially reconstruct sensitive values.
Operationally, the KEV listing (as cited by TWCERT/CC) is an important prioritization signal for security and IT operations teams, especially in regulated environments, because it indicates observed exploitation and drives patch urgency in many vulnerability management programs. TWCERT/CC also emphasizes that proof-of-concept (PoC) code is publicly available, lowering the barrier for opportunistic scanning and exploitation of exposed endpoints.
The patched versions listed by TWCERT/CC span multiple major release lines, which suggests heterogeneous fleets (including older, end-of-support deployments) may be at risk. The advisory’s mitigations focus on reducing exposure and the vulnerable attack surface (zlib compression), plus monitoring for abnormal authentication/connection behaviors—controls that map well to cloud perimeter hardening and identity protection priorities.
Event Type: security
Importance: high
Affected Companies
- MongoDB
Affected Sectors
- Cloud Security
- Cybersecurity
- Data Infrastructure
- DevOps / SRE
Key Numbers
- CVSS (v4.x): 8.7
- Estimated internet-exposed servers potentially at risk (global): 87,000+
- CISA KEV inclusion date (per TWCERT/CC): 2025-12-29
- TWCERT/CC advisory publish date: 2026-01-27
- TWCERT/CC advisory update date: 2026-01-28
- Patched MongoDB versions listed by TWCERT/CC: 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, 4.4.30
Timeline
- CISA adds CVE-2025-14847 to the Known Exploited Vulnerabilities (KEV) catalog (per TWCERT/CC).
- TWCERT/CC publishes advisory on MongoBleed risk to MongoDB servers.
- TWCERT/CC updates the advisory.