The Cybersecurity and Infrastructure Security Agency (CISA) has officially raised the alarm about a critical vulnerability in MongoDB, adding the flaw to its catalog of known exploited vulnerabilities (KEVs).
This move confirms that the bug, dubbed ” MongoBleed ,” is being actively exploited by hackers to steal sensitive data from servers around the world. The flaw is serious. It stems from “improper handling of length parameter inconsistencies” in the database’s use of the zlib compression library.
Security researchers at Ox Security have clarified how the vulnerability works, which stems from MongoDB’s tendency to return the amount of memory allocated when processing network messages, rather than the actual size of the decompressed data.
The vulnerability, identified as CVE-2025-14847, has a severity score of 8.7 and affects a wide range of MongoDB Server versions, from legacy installations to the latest releases.
CISA’s action follows reports of widespread abuse. The agency warned that ” this type of vulnerability is a common attack vector for malicious actors and poses a significant risk to federal operations.”
The list of affected versions is extensive and covers release years:
According to Censys , a platform dedicated to discovering internet-connected resources, as of December 27, there were more than 87,000 potentially vulnerable MongoDB instances exposed to the public internet.
This structural inconsistency allows an attacker to transmit a “malformed message declaring an exaggerated unpacked size,” thus tricking the server into reserving an expandable memory buffer. The server then inadvertently returns the contents of this uninitialized memory to the adversary.
By exploiting this flaw, attackers are able to remotely harvest secrets, credentials, and other sensitive data from an exposed MongoDB instance, achieving a complete extraction without the need for authentication.
MongoDB fixed the vulnerability 10 days ago and urges all administrators to immediately upgrade to a “safe build.” The fixed builds are:
Fortunately, customers using MongoDB Atlas, the company’s fully managed multi-cloud service, received the patch automatically and do not need to take any action.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
