- MongoBleed (CVE-2025-14847) leaks sensitive data due to the use of uninitialized heap memory.
- About 87,000 open MongoDB instances are vulnerable; most of them are located in the USA, China and Germany
- Patch released on December 19; MongoDB Atlas has been patched automatically and there are no confirmed cases of abuse.
MongoBleed, a serious vulnerability that plagues multiple versions of MongoDB, can now be easily exploited as the proof of concept (PoC) is now available online.
Earlier this week, security researcher Joe DeSimone published code that exploits the uninitialized heap memory read vulnerability tracked as CVE-2025-14847. This vulnerability, rated 8.7 out of 10 (High), is due to “mismatched length fields in Zlib compressed protocol headers.”
By sending a poisoned message with a larger size when unpacking, an attacker can force the server to allocate a larger memory buffer, which will leak in-memory data containing sensitive information such as credentials, cloud keys, session tokens, API keys, configurations, and other data.
How to Stay Safe
Moreover, attackers using MongoBleed do not need valid credentials to carry out an attack.
In its report, BleepingComputer confirms that there are approximately 87,000 potentially vulnerable instances on the public Internet, according to Censys. Most are located in the United States (20,000), with notable cases in China (17,000) and Germany (about 8,000).
Here is a list of all vulnerable versions:
MongoDB versions 8.2.0 to 8.2.3
MongoDB from 8.0.0 to 8.0.16
MongoDB versions 7.0.0 to 7.0.26
MongoDB 6.0.0 to 6.0.26
MongoDB from 5.0.0 to 5.0.31
MongoDB 4.4.0 to 4.4.29
All versions of MongoDB Server v4.2
All versions of MongoDB Server v4.0
All versions of MongoDB Server v3.6
If you are using any of the above, be sure to install the hotfix – the hotfix for self-hosted instances is available as of December 19th. Users using MongoDB Atlas do not need to do anything as their instances have been patched automatically.
There are currently no confirmed reports of abuse in real-world settings, although some researchers have linked MongoBleed to the recent Ubisoft Rainbow Six Siege hack.
By using BeepingComputer
The best antivirus for any budget
Follow TechRadar on Google News. And add us as your preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the “Subscribe” button!
And of course you can also Follow TechRadar on TikTok for news, reviews, unboxing videos and get regular updates from us on whatsapp too much.
