Active Exploitation of MongoDB Flaw Puts Thousands of Databases at Risk

The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that attackers are actively exploiting a newly disclosed MongoDB vulnerability. Researchers found that more than 87,000 MongoDB instances worldwide remain potentially exposed, which significantly raises the risk of large-scale data compromise.

MongoBleed (tracked as CVE‑2025‑14847) is a critical vulnerability in MongoDB that stems from improper handling of zlib-compressed network messages before authentication. When a specially crafted compressed packet is sent to a vulnerable server, this flaw causes the server to return uninitialized memory from its heap. This leaked data can include sensitive information such as credentials or configuration details, and the attack requires no prior authentication, which makes it highly dangerous for exposed instances.

“Attackers can exploit this to extract sensitive information from MongoDB servers, including user information, passwords, API keys and more. Although the attacker might need to send a large amount of requests to gather the full database, and some data might be meaningless, the more time an attacker has the more information could be gathered,” an OX Security researcher explained.

Proof-of-concept release

The MongoBleed vulnerability that carries a CVSS score of 8.7 was first identified on December 15, 2025. It affects MongoDB 8.2.0–8.2.2, 8.0.0–8.0.16, 7.0.0–7.0.27, 6.0.0–6.0.26, 5.0.0–5.0.31, 4.4.0–4.4.29, and all 4.2, 4.0, and 3.6 releases. The Elastic Security researcher published a proof of concept on December 26.

According to Censys data, there are approximately 87,000 MongoDB instances exposed to the public internet that could be vulnerable to the MongoBleed flaw. The largest concentration is in the United States with about 20,000 servers, followed by China with roughly 17,000, and Germany hosting around 8,000. This widespread exposure significantly increases the risk of exploitation, especially for systems lacking proper patching or network restrictions.

Recommended mitigations and security best practices

Organizations should prioritize patching affected MongoDB versions immediately by upgrading to the latest secure releases (such as 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30). For environments where immediate patching isn’t possible, a temporary workaround involves disabling zlib compression by removing it from the configuration settings (networkMessageCompressors or net.compression.compressors) and switching to alternatives like Snappy or Zstd, or disabling compression entirely.

Additionally, organizations should reduce exposure by restricting public access to MongoDB servers through firewalls or private networking. Moreover, administrators should monitor for unusual pre-authentication activity or unexpected crashes, and leverage detection guidance from security experts. They must also phase out unsupported MongoDB versions, which are permanently vulnerable to cyberattacks.