A high-severity vulnerability affecting multiple versions of MongoDB is actively being exploited by threat actors worldwide. Dubbed MongoBleed (CVE-2025-14847), the flaw allows unauthenticated attackers to leak sensitive information from MongoDB servers, including session tokens, passwords, API keys, and potentially entire databases.
How MongoBleed Works
The vulnerability impacts the Zlib compression protocol used in MongoDB’s network messages. By sending crafted compressed messages, attackers can read uninitialized heap memory without authentication. This occurs because the server processes network message decompression before verifying credentials, making Internet-exposed MongoDB servers especially vulnerable.
Ox Security’s technical analysis explains that attackers can exploit the flaw to extract fragments of sensitive in-memory data, while multiple malformed requests could allow larger data leaks, potentially exposing full databases.
Exploitation and Proof-of-Concept
- A proof-of-concept (PoC) exploit was published shortly after the vulnerability was disclosed, enabling attackers to retrieve sensitive information easily.
- Elastic Security’s PoC highlights how session tokens, passwords, and API keys can be extracted from affected servers.
- Wiz reports that roughly 42% of cloud environments contain MongoDB instances vulnerable to MongoBleed.
- Security researcher Kevin Beaumont notes there are over 200,000 vulnerable instances globally, with 87,000 exposed servers observed by Censys.
Mitigation and Recommendations
MongoDB issued patches on December 19, 2025, for the following versions:
- 8.2.3
- 8.0.17
- 7.0.28
- 6.0.27
- 5.0.32
- 4.4.30
Organizations running self-managed MongoDB instances should:
- Update to a patched version immediately.
- Disable Zlib compression temporarily if updating is not immediately possible.
- Hunt for signs of compromise in server logs before applying patches, as suggested by Recon InfoSec co-founder Eric Capuano.
Wiz warns that because the vulnerability does not require user interaction and is easy to exploit, organizations should assume a high likelihood of mass exploitation and take urgent preventive action.
