Dec 29, 2026Ravie LakshmananDatabase Safety / Vulnerability
A not too long ago disclosed safety vulnerability in MongoDB has come below lively exploitation within the wild, with over 87,000 probably inclined cases recognized the world over.
The vulnerability in query is CVE-2025-14847 (CVSS rating: 8.7), which permits an unauthenticated attacker to remotely leak delicate information from the MongoDB server reminiscence. It has been codenamed MongoBleed.
“A flaw in zlib compression permits attackers to set off data leakage,” OX Safety mentioned. “By sending malformed community packets, an attacker can extract fragments of personal information.”
The issue is rooted in MongoDB Server’s zlib message decompression implementation (“message_compressor_zlib.cpp”). It impacts cases with zlib compression enabled, which is the default configuration. Profitable exploitation of the shortcoming might permit an attacker to extract delicate data from MongoDB servers, together with consumer data, passwords, and API keys.
“Though the attacker may have to ship a considerable amount of requests to collect the total database, and a few information could be meaningless, the extra time an attacker has, the extra data could possibly be gathered,” OX Safety added.
Cloud safety firm Wiz mentioned CVE-2025-14847 stems from a flaw within the zlib-based community message decompression logic, enabling an unauthenticated attacker to ship malformed, compressed community packets to set off the vulnerability and entry uninitialized heap reminiscence with out legitimate credentials or consumer interplay.
“The affected logic returned the allotted buffer measurement (output.size()) as a substitute of the particular decompressed information size, permitting undersized or malformed payloads to show adjoining heap reminiscence,” safety researchers Merav Bar and Amitai Cohen mentioned. “As a result of the vulnerability is reachable previous to authentication and doesn’t require consumer interplay, Web-exposed MongoDB servers are significantly in danger.”
Information from assault floor administration firm Censys exhibits that there are greater than 87,000 probably susceptible cases, with a majority of them positioned within the U.S., China, Germany, India, and France. Wiz famous that 42% of cloud environments have at the least one occasion of MongoDB in a model susceptible to CVE-2025-14847. This consists of each internet-exposed and inner assets.
The precise particulars surrounding the character of assaults exploiting the flaw are presently unknown. Customers are suggested to replace to MongoDB variations 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30. Patches for MongoDB Atlas have been utilized. It is value noting that the vulnerability additionally impacts the Ubuntu rsync bundle, because it makes use of zlib.
As non permanent workarounds, it is really helpful to disable zlib compression on the MongoDB Server by beginning mongod or mongos with a networkMessageCompressors or a web.compression.compressors choice that explicitly omits zlib. Different mitigations embody limiting community publicity of MongoDB servers and monitoring MongoDB logs for anomalous pre-authentication connections.
