Researchers are warning organizations to upgrade their MongoDB instances to protect against a severe vulnerability that has been in the product for more than 10 years and can allow an attacker to read in-memory data without any user interaction or authentication. 

MongoDB disclosed the vulnerability (CVE-2025-14847) on Dec. 19 and a few days later, a public exploit for it appeared online. Although patches are available for the affected versions of MongoDB, data from Censys shows that there are more than 87,000 potentially vulnerable instances exposed to the internet. The exploit has been available for several days at this point, upping the urgency for organizations to upgrade their vulnerable instances. 

The vulnerability is quite serious, given the possibility of pre-authentication exploitation and how many versions of MongoDB are affected. 

“By sending malformed, compressed network packets, an unauthenticated attacker can trigger the server to mishandle decompressed message lengths, resulting in uninitialized heap memory being returned to the client. This allows attackers to remotely leak fragments of sensitive in-memory data without valid credentials or user interaction,” Merav Bar and Amitai Cohen of Wiz wrote in an analysis of the bug. 

“At a code level, the vulnerability was caused by incorrect length handling in message_compressor_zlib.cpp. The affected logic returned the allocated buffer size (output.length()) instead of the actual decompressed data length, allowing undersized or malformed payloads to expose adjacent heap memory.”

The bug is also known as MongoBleed, because vulnerabilities can’t be taken seriously without a punchy name, and with public exploitation underway, organizations should prioritize patching vulnerable instances immediately. 

  • Recent Posts

  • Recent Comments

    No comments to show.