MongoBleed, identified as CVE-2025-14847, is a serious vulnerability affecting nearly all MongoDB versions released since 2017. It allows attackers to read sensitive data from the database's heap memory without requiring authentication. The issue arises from a bug in the zlib1 compression path in MongoDB, where the server incorrectly trusts user-supplied data regarding message sizes. An attacker can exploit this by sending a false `uncompressedSize`, causing the server to allocate more memory than necessary, which can include leftover data from prior operations. The exploit unfolds in two parts. First, the attacker tricks the server into allocating a large memory buffer by specifying an inflated size. After decompressing, the server fails to verify the actual size of the data, mixing valid BSON data with unreferenced heap garbage. This can include sensitive information such as passwords, API keys, and customer data. In the second part, the attacker crafts a BSON message that lacks a null terminator. When the server parses it, it continues reading into the garbage memory until it finds a terminator, potentially leaking sensitive information in error messages. The vulnerability has been present for over eight years, creating a significant risk for any MongoDB instances exposed to the internet. There are over 213,000 publicly accessible MongoDB databases, making them easy targets. The bug was first introduced in a pull request in May 2017, with the fix only being implemented days after the vulnerability was disclosed in December 2025. Despite the fix being available, MongoDB's communication about the issue has been lacking, leaving many instances still at risk.