At MongoDB, protecting our customers’ data is our highest priority. On December 12, 2025, the MongoDB Security Engineering team identified a security vulnerability, described in CVE-2025-14847, which impacts MongoDB Server. Within the security community, this vulnerability is informally referred to as “Mongobleed.” This blog post outlines the situation, our immediate response, and the key insights we’ve gathered so far. Security is an ongoing responsibility in modern software development for both software producers and consumers, and maintaining trust depends on how issues are identified, addressed, and communicated.
This patched security vulnerability in the MongoDB Server products (Community and Enterprise) is not a breach or compromise of MongoDB, MongoDB Atlas (our managed MongoDB Server offering), or our systems. To maintain the highest levels of security, customers and users are advised to use the latest versions of MongoDB’s software that have been updated to address this vulnerability.
The vulnerability was discovered internally by MongoDB Security Engineering as part of our proactive and continuously evolving security program. Over the last several years, we have increased our investment in people, processes, and technology to analyse and improve our codebase continuously. This work is ongoing, and discoveries like this reinforce the importance of sustained focus in this area.
Because how and when we act matters as much as what we do, transparency around timing is important. The following timeline outlines our discovery, validation, remediation, and disclosure efforts from December 12 through December 23, 2025 (all times U.S. ET):
December 12 at 19:00 – MongoDB Security Engineering detected the issue.
December 12–14 – We worked continuously to validate the issue and develop and test a fix.
December 15-17 – We developed and tested our rollout plans to enable rapid and safe deployment at scale, and commenced patching the Atlas fleet.
December 17 at 12:10 – We completed patching the majority of the Atlas fleet.
December 17 at 21:00 – Atlas provides an optional feature called “maintenance windows” that provides customers control over when MongoDB applies routine software updates to their Atlas instances. We proactively notified Atlas customers with maintenance windows configured that we would perform an urgent patch the following day, as part of our established policy.
December 18 – We patched the remainder of the Atlas fleet, including those with maintenance windows, and continued customer communications.
December 19 – We published the vulnerability through the industry-standard CVE process as CVE-2025-14847.
December 23 – We posted an update on MongoDB’s community forum, sharing the patch and details on how to update.
Protecting customers was our top priority throughout this process. Tens of thousands of MongoDB Atlas customers and hundreds of thousands of Atlas instances were proactively patched within days. Because MongoDB manages Atlas, we were able to deploy critical security patches quickly and safely on behalf of customers.
In parallel with our Atlas remediation, we published patch versions of MongoDB for customers running MongoDB Enterprise Advanced. We also made available patched community builds and proactively notified Community Edition users through our community forum. Our goal was to ensure that all MongoDB users, whether running Atlas, Enterprise Advanced, or Community, had access to patches and clear guidance as quickly as possible.
As with any operational event, this was another opportunity to learn, improve, and raise the bar. The software security space is rapidly evolving with new tools and techniques, and MongoDB will continue to evaluate and deploy new capabilities as part of our deep investment in security for our customers.
Operating software and services securely at high scale is complex. Our responsibility is to continuously improve our products, act with urgency and transparency, and strengthen how we protect our customers. We appreciate the trust our customers place in MongoDB and remain committed to earning that trust every day.
– Jim Scharf, Chief Technology Officer, MongoDB