At Percona, our mission has always been to provide the community with truly open-source, enterprise-class software. A critical part of that mission is ensuring that when security vulnerabilities arise in the upstream ecosystem, we respond with the urgency and transparency our users expect.
As many in the MongoDB community are now aware, a security vulnerability—CVE-2025-14847, informally known as “Mongobleed”—was recently identified in MongoDB Server (Community and Enterprise editions). Today, I’m publishing the information that this vulnerability has also been addressed in Percona Server for MongoDB.
What is Mongobleed?
The vulnerability, discovered by the MongoDB security team on December 12, 2025, affects the MongoDB Server and its downstream components, including Percona Server for MongoDB. The mongobleed vulnerability allows an unauthenticated remote attacker with network access to a mongod or mongos instance to extract fragments of uninitialized server memory, which may contain sensitive data. This vulnerability can only be exploited if both of the following conditions are true:
- The MongoDB server is reachable over the demilitarized or public network, and
zlibnetwork compression is allowed (default value)
Servers that are not network-reachable (e.g., embedded systems) or do not support zlib compression are not affected by this issue.
We want to be clear: Percona Server for MongoDB (PSMDB) is also affected by this upstream vulnerability. However, fixes for supported versions are available today.
Affected MongoDB server and Percona Server for MongoDB versions include:
- 8.2.x releases
- MongoDB Community/Enterprise 8.2.0 through 8.2.2
- 8.0.x release
- MongoDB Community/Enterprise 8.0.0 through 8.0.16
- Percona Server for MongoDB 8.0.4-1 through 8.0.16-5
- 7.0.x release
- MongoDB Community/Enterprise 7.0.0 through 7.0.26
- Percona Server for MongoDB 7.0.2-1 through 7.0.26-14
- 6.0.x release (EOL)
- MongoDB Community/Enterprise 6.0.0 through 6.0.26
- Percona Server for MongoDB 6.0.2-1 through 6.0.25-20
- 5.0.x release (EOL)
- MongoDB Community/Enterprise 5.0.0 through 5.0.31
- Percona Server for MongoDB 5.0.2-1 through 5.0.29-25
- 4.4.x release (EOL)
- MongoDB Community/Enterprise 4.4.0 through 4.4.29
- Percona Server for MongoDB 4.4.0-1 through 4.4.29-28
- 4.2.x and older releases (EOL)
- All MongoDB Community/Enterprise 4.2, 4.0, and 3.6 versions
- All Percona Server for MongoDB 4.2, 4.0, and 3.6 versions
Percona’s Response and Resolution
Security is a collaborative effort. As soon as the vulnerability was disclosed, our engineering team began the process of integrating, testing, and validating the necessary patches into our builds to ensure they meet Percona’s standards for stability and performance. During that time, Percona’s core value—customer-first and our commitment to security—have remained steadfast. As a result, we have published a remediation and validation procedure in our blog post on December 31, 2025.
Today, we are releasing updated versions of Percona Server for MongoDB, which include a fix for CVE-2025-14847. Our engineers have merged changes from the upstream, solving a buffer length mismatch during decompression. The fix ensures that the server precisely calculates the size of the actual decompressed data, “truncates” the buffer, or only reads exactly that amount. It prevents the server from ever returning the “slack space” (the uninitialized part of the buffer) to the network.
If you are running Percona Server for MongoDB, we strongly recommend upgrading to the following versions (or newer) immediately:
Percona Server for MongoDB 6.0 is already end-of-life (EOL). However, we fully understand the risk this vulnerability poses and are aware that a major upgrade might not be the right time for you. Therefore, we’re additionally releasing a patch 6.0.27-21 on January 12, 2026, despite its EOL status.
Until you patch your Percona Server for MongoDB, we strongly recommend disabling zlib network compression on all affected MongoDB servers as a workaround.
Why Upgrading Matters
While managed services like MongoDB Atlas can automate these updates, users of on-premises or self-managed cloud deployments—the core of the Percona community—must take manual action to secure their environments.
By upgrading to the latest PSMDB releases, you aren’t just patching “Mongobleed.” You are also benefiting from the latest performance optimizations and bug fixes that Percona provides as part of our commitment to the MongoDB ecosystem.
How can I apply a workaround?
If you cannot upgrade to the patched versions immediately, you should definitely apply the workaround.
MongoDB instances negotiate compression in the following order by default: snappy, zstd, then zlib. Since zlib is the final fallback, it is rarely used in practice, so disabling it should have no functional impact for most deployments. If you’re unable to immediately patch your Percona Server for MongoDB instances, we strongly recommend applying the mitigation. The full procedure with a verification was well described in our previous blog post CVE-2025-14847 (MongoBleed) — A High-Severity Memory Leak in MongoDB.
If you have questions or would like assistance validating your configuration, please contact Percona Support.
Our Commitment to Security
The “Mongobleed” incident serves as a reminder that security is a continuous journey. Percona remains committed to:
- Transparency: Communicating clearly about risks and remediation timelines.
- Speed: Delivering patches to the community as quickly as possible following upstream discovery.
- Freedom: Ensuring that those who choose to run their own databases have the same level of security protection as those using proprietary managed services.
Next Steps
The updated builds are available now on our download website and through our standard repositories. Our security experts strongly recommend the following additional steps after patching the vulnerability:
- Rotate all database and application credentials that may have been exposed. The exploit allows unauthenticated attackers to potentially leak sensitive data, including credentials, API, and encryption keys, from the server’s memory.
- If possible, ensure that your MongoDB instance is not exposed to the public internet, using network segmentation or firewall rules to restrict access to trusted internal networks only.
If you have questions regarding the upgrade process or how this vulnerability might impact your specific configuration, please reach out to us via the Percona Community Forum or contact our support team if you are a Percona customer.
Stay secure. Always.
About the Author
Radoslaw SzulgoRadoslaw is a Senior Product Manager at Percona and responsible for driving Percona Software for MongoDB. He has more than 15 years of experience in building distributed applications as a product manager, leader, and software engineer. Radek is an Agile product development enthusiast and fan of personal development. Outside of work, he's an amateur volleyball player.
