Advisory on CVE-2025-14847

On December 19, 2025, MongoDB disclosed a high-severity vulnerability, widely referred to in the security community as MongoBleed. This vulnerability allows unauthenticated remote attackers to read uninitialised heap memory from MongoDB servers by exploiting a flaw in the handling of zlib-compressed network messages.

The vulnerability, also known as the "MongoDB Server Improper Handling of Length Parameter Inconsistency", occurs when incorrect length values in Zlib-compressed protocol headers may enable unauthenticated clients to access uninitialized heap memory.

The CVE ID CVE-2025-14847 is assigned to this vulnerability and classified as having a High severity, with a CVSS score of 8.7, by MongoDB, Inc.

For more information, refer to the official MongoDB Server Security Update.

Impacted IONOS Cloud products

What action has IONOS Cloud taken to mitigate the severity?

In accordance with our managed service commitment, IONOS Cloud has:

1. Identified all vulnerable MongoDB clusters within the production environment.

2. Applied the official MongoDB patches (versions 7.0.28 and 6.0.27) to all the MongoDB clusters.

Consequently, the patch status for the affected MongoDB products in our environment is officially marked as "Done".

What action can you take to mitigate the vulnerability?

IONOS Cloud owns the patching responsibility, and no user action is required.

How can I get help?

If you have further questions or concerns about this vulnerability, contact IONOS Cloud Support.