A high severity vulnerability, referred to as “mongobleed” (CVE-2025-14847) has been identified in most versions of MongoDB Community and Enterprise editions and MongoDB Atlas. Percona Server for MongoDB (PSMDB) is also affected, since it is based on the upstream MongoDB Community code base. This issue affects all MongoDB server binaries where zlib network compression is allowed.
Below, we outline the details of the vulnerability, the steps Percona is taking, and the actions we recommend you take to mitigate risk.
Vulnerability details:
The mongobleed vulnerability allows an unauthenticated remote attacker with network access to a mongod or mongos instance to extract fragments of uninitialized server memory, which may contain sensitive data.
This vulnerability can only be exploited if both of the following conditions are true:
- The MongoDB server is reachable over the network, and
- zlib network compression is allowed (default value)
Servers that are not network-reachable (e.g. embedded systems) or do not allow zlib compression are not exposed to this issue.
Affected MongoDB versions include:
- MongoDB 8.2.0 through 8.2.2
- MongoDB 8.0.0 through 8.0.16
- MongoDB 7.0.0 through 7.0.26
- MongoDB 6.0.0 through 6.0.26
- MongoDB 5.0.0 through 5.0.31
- MongoDB 4.4.0 through 4.4.29
- All MongoDB Server 4.2, 4.0, and 3.6 versions
Percona is actively preparing and validating patches for currently supported PSMDB releases. Releases are expected for the first week of January.
Mitigation steps:
Until patched versions are available, we strongly recommend disabling zlib network compression on all affected MongoDB servers.
MongoDB instances negotiate compression in the following order by default: snappy, zstd, then zlib. Because zlib is the final fallback, it is often not used in practice, so disabling it should have no functional impact for most deployments.
Many drivers negotiate compression automatically. If clients explicitly request zlib, they may decline to negotiate compression with your server or fall back to another compressor. Ensure clients prefer snappy or zstd and do not include zlib in their own configuration.
If you start MongoDB manually, add the following parameter:
| 1 | mongod --setParameter networkMessageCompressors=snappy,zstd |
For a mongos router:
| 1 | mongos --setParameter networkMessageCompressors=snappy,zstd |
If you use a configuration file (mongod.conf or mongos.conf), add or modify the compression section and restart the process (Replica sets or sharded clusters can be restarted in a rolling fashion):
| 1 2 3 | net: compression: compressors: snappy,zstd |
This explicitly lists only supported, non-vulnerable compressors and omits zlib entirely.
Verification
To confirm zlib is disabled, connect to the server and check the output of the following command:
| 1 | db.adminCommand({ getCmdLineOpts: 1 }).parsed.net.compression |
Expected result:
| 1 | { compressors: 'snappy,zstd' } |
You may also test a client connection that explicitly requests zlib:
| 1 | mongosh "mongodb://yourhost:27017/?compressors=zlib" |
Then check mongod.log to verify that no compressor was negotiated:
| 1 | {"t":{"$date":"2025-12-29T12:41:03.790-05:00"},"s":"I", "c":"NETWORK", "id":51800, "svc":"S", "ctx":"conn788","msg":"client metadata","attr":{"remote":"127.0.0.1:40974","client":"conn788","negotiatedCompressors":[],"doc":{"application":{"name":"mongosh 2.5.6"},"driver":{"name":"nodejs|mongosh","version":"6.16.0|2.5.6"},"platform":"Node.js v20.19.4, LE","os":{"name":"linux","architecture":"x64","version":"6.1.0-37-amd64","type":"Linux"}}}} |
If you have installed Percona Monitoring & Management (PMM), you can also check metrics specifically for zlib to ensure after the changes in net.compression, no data gets transmitted using zlib.
For server-side you can check mongodb_ss_network_compression_zlib_compressor_bytesIn, and for client side mongodb_ss_network_compression_zlib_decompressor_bytesIn should stop increasing.
If you have questions or would like assistance validating your configuration, please contact Percona Support.
About the Author
Ivan GroenewoldPassionate about technology, Ivan Groenewold is a seasoned professional with extensive experience in database management, cloud infrastructure, and software development. With a focus on optimizing performance and scalability, Ivan excels in designing and implementing solutions for complex systems, particularly in MongoDB and cloud-native environments. Known for problem-solving and a results-driven mindset, Ivan combines technical expertise with a commitment to continuous learning, delivering high-quality solutions for modern enterprise applications.
