TL;DR: A critical MongoDB vulnerability lets attackers steal passwords, API keys, and session tokens from database servers without needing to authenticate. CVE-2025-14847, codenamed MongoBleed, affects 87,000 publicly exposed servers. Hackers started exploiting it December 26, 2025. CISA added it to its list of known exploited vulnerabilities December 29. Patch immediately.
What MongoBleed Does
MongoDB servers leak sensitive data from memory when attackers send malformed network packets. No password required. No authentication needed. Just send crafted packets to a vulnerable MongoDB instance and extract whatever's sitting in server memory: credentials, API keys, cloud access tokens, session data, configuration secrets.
CVE-2025-14847 scored 8.7 on the CVSS scale. That's "high severity," one step below critical. But when you can steal admin credentials without authentication, severity scores understate the problem. This is bad.
The flaw affects MongoDB versions 3.6 through 8.2.2. That's every major release from 2017 through November 2025. If you're running MongoDB and haven't patched in the last two weeks, you're vulnerable.
The Technical Breakdown
MongoDB uses zlib compression for network messages by default. When a client sends compressed data, the server decompresses it before processing. The decompression happens before authentication, before the server checks who you are or whether you're allowed access.
The bug is in message_compressor_zlib.cpp. MongoDB allocates a buffer for decompressed data based on the size declared in the compressed packet. But when handling malformed packets, the code returns the allocated buffer size instead of the actual decompressed data length. That means attackers can declare a large buffer size, send minimal actual data, and get back whatever was already sitting in that memory space.
It's a classic buffer over-read. Attacker controls the buffer size. Server fills it with existing memory contents. Attacker receives sensitive data that should never leave the server. The attack works pre-authentication because compression handling runs before credential checks.
What Data Gets Exposed
Heap memory contains whatever the database was recently processing. That includes:
Authentication Credentials
Database usernames and passwords from recent login attempts. Admin credentials if an admin recently authenticated. Service account credentials used by applications connecting to MongoDB.
API Keys and Tokens
Cloud provider API keys stored in environment variables or configuration. Authentication tokens for external services. OAuth tokens. Session identifiers. Anything the application stores or passes through the database.
Personal Information
User data from recent queries. Names, email addresses, phone numbers. Payment information if stored in MongoDB. Health records if you're running a healthcare app. Financial data if you're a fintech company.
Application Secrets
Encryption keys, signing secrets, internal API endpoints, configuration data. Logs containing debug information. Error messages with stack traces revealing code structure.
The leaked data is random. Attackers can't target specific fields. They get fragments of whatever was in memory when the exploit runs. But send enough malformed packets and you'll eventually leak valuable secrets.
Active Attacks in the Wild
A public proof-of-concept exploit dropped December 26, 2025. Security researchers reported active exploitation shortly after. By December 29, the US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-14847 to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch by January 19, 2026.
CISA doesn't add vulnerabilities to the KEV catalog speculatively. They require evidence of active exploitation targeting real systems. MongoBleed made the list three days after the public exploit appeared. That's fast, which means the attacks are widespread or high-impact enough to warrant emergency action.
Threat actors claimed using MongoBleed in the recent Rainbow Six Siege data breach, though verification is difficult. What's certain: attackers have working exploits, they're scanning for vulnerable servers, and they're actively extracting credentials.
87,000 Exposed Servers
Censys, an attack surface management company, scanned the internet for exposed MongoDB instances as of December 27, 2025. They found over 87,000 publicly accessible servers running vulnerable versions. That's servers directly reachable from the internet without VPNs or firewalls blocking access.
Geographic breakdown: nearly 20,000 in the United States, 17,000 in China, 8,000 in Germany, with the rest scattered across India, France, and dozens of other countries. These are the easy targets. Attackers don't need to compromise networks or bypass firewalls. Just send packets directly to port 27017 and start extracting data.
Cloud security firm Wiz looked at their customer data and found 42% of cloud environments have at least one MongoDB instance vulnerable to CVE-2025-14847. That includes both public-facing and internal databases. If you're running cloud infrastructure, odds are you've got a vulnerable MongoDB server somewhere.
Who Should Worry
Anyone running MongoDB versions 3.6 through 8.2.2 with zlib compression enabled, which is the default configuration. That means:
- Startups using MongoDB for user authentication and data storage
- E-commerce sites storing customer information and payment metadata
- Healthcare providers with patient records in MongoDB
- Financial services companies tracking transactions
- SaaS platforms managing customer data
- Mobile app backends using MongoDB for session management
- Internal tools and admin panels with MongoDB databases
MongoDB is everywhere. It's the most popular NoSQL database. Millions of applications rely on it. If your business stores sensitive data in MongoDB and you haven't patched, assume attackers can access it.
Managed MongoDB Atlas users got automatic patches. If you're on Atlas, you're probably fine. But if you're self-hosting MongoDB on AWS, Azure, Google Cloud, or your own servers, you need to patch manually.
How to Protect Yourself
MongoDB released patches December 19, 2025. Update to these versions immediately:
- MongoDB 8.2.3 (if you're on 8.2.x)
- MongoDB 8.0.17 (if you're on 8.0.x)
- MongoDB 7.0.28 (if you're on 7.0.x)
- MongoDB 6.0.27 (if you're on 6.0.x)
- MongoDB 5.0.32 (if you're on 5.0.x)
- MongoDB 4.4.30 (if you're on 4.4.x)
If you're still on versions 4.2, 4.0, or 3.6, those reached end-of-life years ago. No patches exist. Upgrade to a supported version or disable zlib compression as a temporary workaround.
To disable zlib compression without upgrading, start mongod or mongos with the networkMessageCompressors option set to exclude zlib. Use snappy or zstd instead. Example configuration:
net:
compression:
compressors: snappy,zstd That removes zlib from the list of accepted compressors. Existing connections using zlib will break, so coordinate the change with application teams. Better to break connections temporarily than leak credentials permanently.
Check If You've Been Hit
Review MongoDB server logs for anomalous pre-authentication connections. Look for unexpected crashes or connection attempts from unfamiliar IP addresses. MongoBleed exploitation may cause server instability as malformed packets trigger error conditions.
Security researchers released MongoBleed Detector, a tool that scans MongoDB instances to check vulnerability status. Run it against your databases to confirm patch levels. Don't run random security tools from GitHub without vetting them, but if you're already compromised, detection beats ignorance.
Rotate all credentials that could have been stored in MongoDB or passed through it in the last two months. That includes database passwords, API keys, cloud access tokens, and application secrets. If it touched MongoDB since November 2025, assume it leaked.
Check for unauthorized database access after December 26. Review user creation logs, privilege escalation events, and data export activity. Attackers who steal admin credentials will create backdoor accounts or dump data for later sale.
Network-Level Defenses
MongoDB should never be exposed to the public internet. Use firewalls to restrict access to trusted IP ranges. Put MongoDB behind VPNs or private networks. Use cloud provider security groups to limit inbound connections to application servers only.
If you're in the 87,000 with public MongoDB access, fix that today. Even with patches applied, exposing databases to the internet invites attacks. Vulnerabilities will appear again. Keep databases internal.
Enable TLS encryption for MongoDB connections. That won't stop MongoBleed (the attack works pre-authentication regardless of encryption) but it protects against credential interception and man-in-the-middle attacks. Defense in depth matters.
What Users Can Do
You can't patch MongoDB servers you don't control. But you can protect yourself from the fallout:
Change Your Passwords
If a service you use runs MongoDB, change your password. Enable two-factor authentication if available. Attackers who steal database credentials will try credential stuffing attacks against user accounts.
Monitor for Data Breaches
Watch Have I Been Pwned for new breaches. Set up breach alerts. If a company announces a MongoDB-related incident, assume your data was included.
Check Your Accounts
Review recent account activity on services you use. Look for unauthorized logins, unusual transactions, or profile changes you didn't make. MongoBleed gives attackers session tokens that let them impersonate users.
Use Password Managers
Unique passwords for every service limit damage when one database leaks. If attackers dump a MongoDB database with your credentials, they only compromise that one account, not your entire digital life.
Companies won't necessarily disclose MongoBleed breaches. Many won't even know they were hit. Leaked credentials get sold quietly on dark web markets. By the time you notice unauthorized account access, attackers have been using your data for weeks. Change passwords proactively.
Database Security Matters
MongoBleed is the latest in a series of database vulnerabilities that leak sensitive data through memory corruption bugs. Similar flaws hit PostgreSQL, MySQL, and Redis in recent years. The pattern is clear: databases handle sensitive data, run with elevated privileges, and often have exposed attack surfaces. That makes them prime targets, especially in healthcare, where the ongoing ransomware epidemic has exposed tens of millions of patient records.
Pre-authentication vulnerabilities are especially dangerous. Attackers don't need valid credentials to exploit them. Network access is enough. And because many organizations expose databases to the internet for legitimate access, that attack surface is huge.
The MongoDB security team fixed CVE-2025-14847 quickly after discovery. Patches came out December 19. Public exploit appeared December 26. Seven-day window between patch and weaponization. That's not enough time for most organizations to test updates, schedule maintenance windows, and deploy patches across production systems.
Enterprises move slowly. Startups running lean teams might not even know MongoBleed exists. And attackers move fast. They scripted the exploit, scanned for vulnerable servers, and started harvesting credentials within days of public disclosure. The economics favor attackers.
Patch faster. Monitor aggressively. Keep databases off the public internet. Or accept that sensitive data will leak.
References
- Wiz - MongoBleed: Critical MongoDB Vulnerability CVE-2025-14847
- BleepingComputer - Exploited MongoBleed flaw leaks MongoDB secrets, 87K servers exposed
- The Hacker News - MongoDB Vulnerability CVE-2025-14847 Under Active Exploitation Worldwide
- CISA - CISA Adds One Known Exploited Vulnerability to Catalog
- NVD - CVE-2025-14847
- Cybersecurity News - MongoBleed Detector Tool Released
- BitSight - CVE-2025-14847 MongoDB "MongoBleed": Details, Next Steps