Exploited Mongobleed Flaw Leaks Mongodb Secrets, 87k Servers Exposed

A severe vulnerability affecting multiple MongoDB versions, dubbed MongoBleed (CVE-2025-14847), is being actively exploited in the wild, with over 80,000 potentially vulnerable servers exposed on the public web.

A public exploit and accompanying technical details are available, showing how attackers can trigger the flaw to remotely extract secrets, credentials, and other sensitive data from an exposed MongoDB server.

The vulnerability was assigned a severity score of 8.7 and has been handled as a “critical fix,” with a patch available for self-hosting instances since December 19.

The MongoBleed vulnerability stems from how the MongoDB Server handles network packets processed by the zlib library for lossless data compression.

Researchers at Ox Security explain that the issue is caused by MongoDB returning the amount of allocated memory when processing network messages instead of the length of the decompressed data.

A threat actor could send a malformed message claiming a larger size when decompressed, causing the server to allocate a larger memory buffer and leak to the client in-memory data with sensitive information.

The type of secrets leaked this way could range from credentials, API and/or cloud keys, session tokens, personally identifiable info (PII), internal logs, configurations, paths, and client-related data.

Because the decompression of network messages occurs before the authentication stage, an attacker exploiting MongoBleed does not need valid credentials.

The public exploit, released as a proof-of-concept (PoC) dubbed "MongoBleed" by Elastic security researcher Joe Desimone, is specifically created to leak sensitive memory data.

Security researcher Kevin Beaumont says that the PoC exploit code is valid and that it requires only “an IP address of a MongoDB instance to start ferreting out in memory things such as database passwords (which are plain text), AWS secret keys etc.”

Source: BleepingComputer