MongoBleed allows data to be leaked without attackers needing to authenticate.
Security researchers are warning of a serious vulnerability in MongoDB that is being actively exploited. The vulnerability is named MongoBleed (CVE-2025-14847). More than 80,000 MongoDB servers worldwide are said to be vulnerable and directly accessible via the internet.
The vulnerability has a CVSS score of 8.7 and allows attackers to leak sensitive data from the memory of a MongoDB server without requiring authentication.
Memory leak
MongoBleed occurs with network traffic that MongoDB processes and is compressed with zlib, MongoDB writes in a security advisory. Due to an error in the control of decompressed data, an attacker can send a manipulated network packet that leads to the leakage of random pieces of memory.
This may include database passwords, API and cloud keys, session tokens, PII, configurations and internal logs. Because the decompression takes place before the authentication phase, no valid login credentials are required.
Actively exploited
The vulnerability is now being actively exploited. A proof-of-concept exploit, developed by researchers, is circulating. According to a security researcher, attackers only need the IP address of a MongoDB database to extract sensitive information from memory.
Censys counted more than 87,000 potentially vulnerable MongoDB instances at the end of December, with most in the US, China and Germany. Cloud security company Wiz states that 42 percent of visible environments are running at least one vulnerable MongoDB version, both internally and publicly accessible.
read also
Security flaw discovered in Mongoose makes MonoDB vulnerable
Patching alone is not enough
Researchers emphasize that updating is necessary, but also that additional measures are required. Recon InfoSec warns that organizations should also check whether they have already been compromised. They can do this, among other things, by checking the IP addresses. A source IP with a large number of connections without associated metadata in MongoDB logs indicates that of an attacker.
MongoDB recommends immediately upgrading to a secure version, including:
- 8.2.3
- 8.0.17
- 7.0.28
- 6.0.27
- 5.0.32
- 4.4.30
All older 4.2, 4.0 and 3.6 versions are also vulnerable.
MongoDB Atlas customers have been automatically patched. Those who cannot upgrade can disable zlib compression as a temporary measure. MongoDB advises switching to Zstandard (zstd) or Snappy as safer alternatives.