Docker doesn't follow UFW rules, it manipulates iptables directly.
When running docker on a server using UFW any container with a mapped port will be publicly available if the docker configurations on ip-tables are not explicitly set to false.
The mongo database which is mapped to 27017 would then be vulnerable.

This can be fixed by putting the mongodb and the node server together in a network, instead of mapping mongo to the host.