Massive Data Exposure as Attackers Exploit MongoBleed Vulnerability
Take action: Make sure all database servers are isolated from the internet and accessible from trusted networks only. Then patch ASAP! If you can't update your MongoDB instance immediately, disable zlib compression.
Learn More
The MongoDB memory leak flaw dubbed "MongoBleed." is actively exploited. Security scans show the highest number of exposed servers in China, the United States, and Germany and over 75,000 databases left open on the internet.
The flaw is tracked as CVE-2025-14847 (CVSS score 8.7) and is caused by improper handling of mismatched length fields in Zlib compressed protocol headers.
When processing compressed protocol headers, MongoDB Server's zlib trusts length values provided in incoming messages without validation. By sending crafted requests with mismatched or incorrect length fields, an attacker can confuse the server's decompression logic, causing it to return uninitialized heap memory instead of valid data.
Ransomware groups are already using a public exploit script to find targets. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this flaw to its list of known exploited bugs.
MongoDB Atlas users are already safe because the company patched those systems. For self-hosted users, the company released fixes for versions 4.4 through 8.2. Older versions like 3.6, 4.0, and 4.2 will not get a patch. If you cannot update, you must turn off zlib compression in your server settings immediately.
