A critical vulnerability in MongoDB Server is putting tens of thousands of databases worldwide at risk.
Dubbed MongoBleed and tracked as CVE-2025-14847, this high-severity flaw allows unauthenticated attackers to remotely extract sensitive data from server memory without credentials.
The Shadow Server Foundation disclosed updated findings showing 74,854 potentially unpatched MongoDB versions among 78,725 exposed instances detected today.
Public exploit code released this week has accelerated the threat timeline, with multiple security firms confirming active exploitation in the wild.
What is MongoBleed?
MongoBleed stems from a flaw in MongoDB’s zlib network compression logic.
Attackers send specially crafted compressed packets that cause the server to return uninitialized heap memory, which should remain hidden.
Because the vulnerability exists before authentication checks, attackers need only network access to the MongoDB port (default 27017) to exploit it.
The bug lives in message_compressor_zlib.cpp, where MongoDB returns the allocated buffer size instead of the actual decompressed data length.
This causes the server to expose adjacent heap memory containing sensitive information.
Leaked memory fragments may contain database credentials, API keys, cloud secrets (AWS, Azure, GCP), session tokens, authentication tokens, internal logs and server configurations, and data from other database connections.
This makes MongoBleed particularly dangerous, as attackers can gain direct access to secrets without triggering traditional intrusion detection.
Active Exploitation Confirmed
The vulnerability was disclosed on December 19, and public proof-of-concept code has been available since December 26. Security researchers at Wiz, Bitsight, and others have documented exploitation attempts.
In a post on X, The Shadowserver Foundation warned that the combination of publicly available exploits, more than 70,000 exposed instances, and confirmed active exploitation makes urgent action essential.
The threat escalated dramatically when Ubisoft’s Rainbow Six Siege servers went offline after multiple threat actors claimed a MongoBleed attack targeting internal Git repositories.
MongoDB released patches for all supported versions: 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30. Atlas customers received automatic patches with no required action.
Organizations running self-hosted MongoDB instances should apply the patch immediately or disable zlib compression temporarily while patching.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
