A recently disclosed security vulnerability in MongoDB has been exploited in the wild, with over 87,000 potentially vulnerable instances identified worldwide.
The vulnerability in question, CVE-2025-14847 (CVSS score: 8.7), could allow an unauthenticated remote attacker to leak sensitive data from the memory of a MongoDB server. The code name is MongoBleed.
“A flaw in zlib compression could allow an attacker to cause information disclosure,” OX Security said. “By sending malformed network packets, an attacker can extract pieces of private data.”
The cause of this issue is in the MongoDB server’s zlib message decompression implementation (‘message_compressor_zlib.cpp’). This affects instances that have zlib compression enabled, which is the default configuration. Successful exploitation of this flaw could allow an attacker to extract sensitive information such as user information, passwords, and API keys from a MongoDB server.
“An attacker would have to send a large number of requests to collect the entire database, and some data may be meaningless, but the more time the attacker has, the more information they may be able to collect,” OX Security added.
According to cloud security company Wiz, CVE-2025-14847 is due to a flaw in the zlib-based network message decompression logic that allows an unauthenticated attacker to send a malformed compressed network packet, triggering a vulnerability and accessing uninitialized heap memory without valid credentials or user interaction.
Security researchers Merav Bar and Amitai Cohen said: “The affected logic returned the allocated buffer size (output.length()) rather than the actual decompressed data length, allowing an undersized or malformed payload to expose adjacent heap memory.” “MongoDB servers exposed to the internet are particularly at risk because this vulnerability is reachable before authentication and requires no user interaction.”
According to data from attack surface management company Censys, there are over 87,000 potentially vulnerable instances, with the majority located in the United States, China, Germany, India, and France. Wiz noted that 42% of cloud environments have at least one MongoDB instance with a version vulnerable to CVE-2025-14847. This includes both internet-exposed and internal resources.
The exact details regarding the nature of the attack that exploited this flaw are unknown at this time. We recommend that users update to MongoDB versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30. MongoDB Atlas patch has been applied. Note that the Ubuntu rsync package uses zlib, so this vulnerability also affects this package.
As a temporary workaround, we recommend disabling zlib compression on your MongoDB server by starting mongod or mongos with the networkMessageCompressors or net.compression.compressors options that explicitly omit zlib. Other mitigations include limiting network exposure of MongoDB servers and monitoring MongoDB logs for anomalous pre-authentication connections.
Source link
