CISA Alert: MongoBleed Added to KEV Catalog as 80,000+ Servers Face Active Exploitation

The Cybersecurity and Infrastructure Security Agency (CISA) has officially sounded the alarm on a critical vulnerability in MongoDB, adding the flaw to its Known Exploited Vulnerabilities (KEV) Catalog. The move confirms that the bug, dubbed “MongoBleed,” is being actively exploited by hackers to steal sensitive data from servers worldwide.

The vulnerability, tracked as CVE-2025-14847, carries a severity score of 8.7 and affects a massive range of MongoDB Server versions, from legacy installs to modern releases.

CISA’s intervention follows reports of widespread abuse. The agency warned that “this type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise”.

The flaw is severe. It stems from an “Improper Handling of Length Parameter Inconsistency” within the database’s use of the zlib compression library.

Security researchers at Ox Security have elucidated the intricate mechanics of this exploit: the vulnerability stems from MongoDB’s tendency to return the volume of allocated memory during the processing of network communiqués, rather than the actual dimensions of the decompressed data.

This structural inconsistency empowers a malicious actor to transmit a “malformed message asserting an exaggerated decompressed size,” thereby deceiving the server into reserving an expansive memory buffer. Subsequently, the server inadvertently hemorrhages the contents of this uninitialized memory back to the adversary.

By leveraging this flaw, attackers are capable of remotely harvesting secrets, credentials, and other confidential data from an exposed MongoDB instance—attaining full extraction without the necessity of authentication.

According to Censys, a platform dedicated to the discovery of internet-connected assets, as of December 27, there were in excess of 87,000 potentially vulnerable MongoDB instances exposed to the public internet.

The geographical distribution of these compromised servers is notably concentrated: the United States accounts for nearly 20,000 instances, followed closely by China with approximately 17,000, while Germany maintains a significant presence with just under 8,000 exposed servers.

The list of impacted versions is extensive, covering years of releases:

• MongoDB 8.2.0 through 8.2.3
• MongoDB 8.0.0 through 8.0.16
• MongoDB 7.0.0 through 7.0.26
• MongoDB 6.0.0 through 6.0.26
• MongoDB 5.0.0 through 5.0.31
• MongoDB 4.4.0 through 4.4.29
• All versions of 4.2, 4.0, and 3.6.

MongoDB addressed the vulnerability 10 days ago and is urging all administrators to upgrade to a “safe release” immediately. The patched versions are:

• 8.2.3
• 8.0.17
• 7.0.28
• 6.0.27
• 5.0.32
• 4.4.30.

Fortunately, customers using MongoDB Atlas, the company’s fully managed multi-cloud service, received the patch automatically and don’t need to take any action.

For those unable to patch their self-hosted instances immediately, there is a stopgap measure: disable zlib compression on the server. The vendor suggests switching to safe alternatives for lossless data compression, such as Zstandard (zstd) or Snappy.

Related Posts:

• PoC Released: MongoBleed Exploit Allows Unauthenticated Attackers to Drain MongoDB Memory
• Critical Unauthenticated MongoDB Flaw Leaks Sensitive Data via zlib Compression
• MongoDB Patches High-Severity Windows Vulnerability (CVE-2024-7553) in Multiple Products
• Data Breach Alert: MongoDB Customer Hit, Logs Accessed
• MongoDB Patches: DoS & Bypass Risks Addressed