Critical MongoDB flaw actively exploited, affecting over 87,000 instances worldwide

A recently disclosed security vulnerability in MongoDB is being actively exploited, with over 87,000 potentially susceptible instances identified worldwide. The flaw, identified as CVE-2025-14847 (CVSS score of 8.7) and dubbed MongoBleed, allows an unauthenticated attacker to remotely leak sensitive data from MongoDB server memory. The vulnerability affects instances with zlib compression enabled, which is the system's default configuration.

The flaw is rooted in MongoDB Server's zlib message decompression implementation and allows attackers to send malformed network packets to extract fragments of private data. Successful exploitation can enable an attacker to extract sensitive information from MongoDB servers, including user information, passwords, and API keys. The vulnerability stems from an issue in the zlib-based network message decompression logic, allowing an unauthenticated attacker to send compressed, malformed network packets to trigger the vulnerability and access uninitialized heap memory without valid credentials or user interaction. The affected logic returned the allocated buffer size instead of the actual decompressed data length, allowing malformed payloads to expose adjacent heap memory.

Data from attack surface management firm Censys shows that there are over 87,000 potentially vulnerable instances, with the majority located in the United States, China, Germany, India, and France. Researchers at Wiz noted that 42% of cloud environments have at least one MongoDB instance running a version vulnerable to CVE-2025-14847, including internet-exposed and internal resources. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-14847 to its Known Exploited Vulnerabilities catalog on December 29, 2025, requiring Federal Civilian Executive Branch (FCEB) agencies to apply patches by January 19, 2026.

Users are advised to update to MongoDB versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30. It is worth noting that the vulnerability also affects the Ubuntu rsync package, as it uses zlib. As temporary workarounds, it is recommended to disable zlib compression on MongoDB Server by starting mongod or mongos with a networkMessageCompressors or net.compression.compressors option that explicitly omits zlib, in addition to restricting network exposure of MongoDB servers and monitoring MongoDB logs for anomalous pre-authentication connections.

This post was translated and summarized from its original version using AI, with human review.

With information from The Hacker News