Dear Tencent Cloud User,
Summary
Tencent Cloud Security Center is tracking a critical information disclosure vulnerability in MongoDB Server, identified as CVE-2025-14847 (also known as "MongoBleed"). This vulnerability resides in the handling of Zlib-compressed protocol messages.
An unauthenticated remote attacker can exploit this flaw by sending a specially crafted Zlib-compressed request with a mismatched length field. This triggers an out-of-bounds read, allowing the attacker to retrieve uninitialized sensitive data from the server's heap memory, such as session tokens or residual data from other concurrent requests.
Technical Details
The vulnerability is caused by insufficient validation of the length field in the Zlib-compressed message header. When the declared length exceeds the actual compressed data size, the decompression engine reads beyond the intended buffer. This "leaks" fragments of the server's heap memory—uninitialized memory remnants that may contain highly sensitive information from other sessions.
Note: Public Proof-of-Concept (PoC) exploits are currently available.
Risk level
High
Vulnerability Risks
An unauthenticated remote attacker could exploit this vulnerability to read uninitialized data in the MongoDB server's heap memory by sending specially crafted Zlib compression protocol requests, potentially leading to the leakage of sensitive information such as session tokens and fragments of data from other requests.
Affected Products and Versions
Your MongoDB instances are at risk if you are running any of the following versions with Zlib compression enabled:
● MongoDB 8.2: < 8.2.3
● MongoDB 8.0: < 8.0.17
● MongoDB 7.0: < 7.0.28
● MongoDB 6.0: < 6.0.27
● MongoDB 5.0: < 5.0.32
● MongoDB 4.4: < 4.4.30
● Legacy Versions: 4.2, 4.0, 3.6 (All sub-versions)
Secure version
● MongoDB Server >= 8.2.3
● MongoDB Server >= 8.0.17
● MongoDB Server >= 7.0.28
● MongoDB Server >= 6.0.27
● MongoDB Server >= 5.0.32
● MongoDB Server >= 4.4.30
Remediation & Action Required
Option 1: Upgrade (Recommended)
We strongly recommend upgrading your MongoDB instances to the respective patched versions immediately:
● MongoDB Server >= 8.2.3 / 8.0.17 / 7.0.28 / 6.0.27 / 5.0.32 / 4.4.30
Option 2: Immediate Mitigation (If Patching is Not Possible)
If you cannot upgrade immediately, you must disable Zlib compression to mitigate the risk. You can do this by updating your mongod or mongos configuration:
1. Modify the net.compression.compressors setting in your configuration file or use the --networkMessageCompressors command-line option.
2. Explicitly exclude zlib. Use safer alternatives like snappy or zstd, or disable compression entirely.
Vulnerability Reference
