A researcher has decided to demonstrate how a high-severity MongoDB vulnerability, tracked as CVE-2025-14847 and dubbed MongoBleed, can be exploited and affect multiple supported and legacy MongoDB Server versions.
According to researchers from Ox Security, the MongoBleed vulnerability stems from how the MongoDB server handles network packets processed by the zlib library for lossless data compression.
The problem is reportedly caused by MongoDB returning the amount of allocated memory when processing network messages instead of the length of the decompressed data.
The vulnerability was assigned a severity score of 8.7 and has been handled as a “critical fix.” A patch has been available for self-hosting instances since December 19th.
Essentially, a threat actor could send a malformed message claiming a larger size when decompressed and cause the server to allocate a larger memory buffer and leak in-memory data containing sensitive information.
The secrets leaked this way range from credentials, API and/or cloud keys, session tokens, personally identifiable info, internal logs, paths, configurations, and client-related data, Ox Security researchers said.
“Although the attacker might need to send a large amount of requests to gather the full database, and some data might be meaningless, the more time an attacker has the more information could be gathered,” they added.
And since the decompression of network messages occurs before the authentication stage, a threat actor willing to exploit MongoBleed doesn’t even need valid credentials.
Indeed, a public exploit and all relevant technical details are available online. They show how attackers can trigger the flaw to remotely extract secrets, credentials, and other sensitive data from an exposed MongoDB server.
The public exploit has been released as a proof-of-concept (PoC) by Elastic security researcher Joe Desimone to specifically show how sensitive memory data can be leaked. We presume that attackers are sending Desimone their thanks.
🎅mongobleed - poc for CVE-2025-14847. Leaks data from mongodb instances due to flaw in zlib message decompression. Reminiscent of heartbleed ❤️ pic.twitter.com/bsxIs6g0oK
undefined Joe Desimone (@dez_) December 26, 2025
Security researcher Kevin Beaumont also called the decision to release the PoC right before Christmas a bizarre one in a blog post, but said he validated the exploit to be real.
“You can just supply an IP address of a MongoDB instance and it’ll start ferreting out in memory things such as database passwords (which are plain text), AWS secret keys etc.,” wrote Beaumont.
“Because of how simple this is now to exploit – the bar is removed – expect a high likelihood of mass exploitation and related security incidents.”
According to Censys, a platform for discovering internet-connected devices, as of December 27th, there were more than 87,000 potentially vulnerable MongoDB instances exposed on the public internet.
Because of how simple this is now to exploit – the bar is removed – expect a high likelihood of mass exploitation and related security incidents,
Kevin Beaumont
Customers of MongoDB Atlas, the fully managed, multi-cloud database service, received the patch automatically, and no further action is needed.
For customers self-hosting MongoDB, patches are available. If updating to the latest fix version isn’t possible, users should disable zlib decompression.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked