Thousands of servers exposed as MongoBleed vulnerability exploited

News
By published

A proof-of-concept is now available on the internet

A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
(Image credit: Shutterstock)
  • MongoBleed (CVE-2025-14847) leaks sensitive data via uninitialized heap memory exploitation
  • Roughly 87,000 exposed MongoDB instances vulnerable; most located in U.S., China, and Germany
  • Patch released December 19; MongoDB Atlas auto-patched, no confirmed in-the-wild abuse yet

MongoBleed, a high-severity vulnerability plaguing multiple versions of MongoDB, can now easily be exploited since a proof-of-concept (PoC) is now available on the web.

Earlier this week, security researcher Joe Desimone published code that exploits a “read of uninitialized heap memory” vulnerability tracked as CVE-2025-14847. This vulnerability, rated 8.7/10 (high), stems from “mismatched length fields in Zlib compressed protocol headers”.

By sending a poisoned message claiming a larger size when decompressed, the attacker can cause the server to allocate a bigger memory buffer, through which they would leak in-memory data containing sensitive information, such as credentials, cloud keys, session tokens, API keys, configurations, and other data.

How to stay safe

What’s more - the attackers exploiting MongoBleed do not need valid credentials to pull the attack off.

In its writeup, BleepingComputer confirms that there are roughly 87,000 potentially vulnerable instances exposed on the public internet, as per data from Censys. The majority are located in the United States (20,000), with notable instances in China (17,000), and Germany (around 8,000).

Here is a list of all the vulnerable versions:

MongoDB 8.2.0 through 8.2.3

MongoDB 8.0.0 through 8.0.16

MongoDB 7.0.0 through 7.0.26

MongoDB 6.0.0 through 6.0.26

MongoDB 5.0.0 through 5.0.31

MongoDB 4.4.0 through 4.4.29

All MongoDB Server v4.2 versions

All MongoDB Server v4.0 versions

All MongoDB Server v3.6 versions

If you are running any of the above, make sure to patch up - a fix for self-hosting instances has been available since December 19. Users running MongoDB Atlas don’t need to do anything, since their instances were automatically patched.

So far, there are no confirmed reports of in-the-wild abuse, although some researchers are linking MongoBleed to the recent Ubisoft Rainbow Six Siege breach.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.