MongoBleed (CVE-2025-14847) is a critical vulnerability in MongoDB’s zlib1 message compression path, affecting versions since 2017. It allows attackers to read uninitialized heap memory, potentially exposing sensitive data like passwords and API keys. The exploit involves sending a false uncompressed size, causing the server to allocate excessive memory, and then exploiting BSON parsing to leak data.

A vulnerability in MongoDB’s zlib network compression allows attackers to read arbitrary heap data, including sensitive information, from publicly accessible databases. The vulnerability, present since 2017, was patched in December 2025 but not publicly disclosed until December 24th. While MongoDB claims no evidence of exploitation, the simplicity of the exploit and the number of exposed databases suggest otherwise.

Online comments suggest that exposing a database to the public warrants consequences.