A newly disclosed MongoDB security bug is now being actively weaponized, with more than 87,000 internet-facing instances appearing exposed worldwide.

The issue is tracked as CVE-2025-14847 (CVSS score: 8.7). It allows an unauthenticated remote attacker to read sensitive data directly from MongoDB server memory and has been dubbed MongoBleed.

“A flaw in zlib compression allows attackers to trigger information leakage,” OX Security said. “By sending malformed network packets, an attacker can extract fragments of private data.”

The weakness is in MongoDB Server’s zlib-based message decompression path (“message_compressor_zlib.cpp”). It impacts deployments where zlib compression is enabled, which is the default. A successful exploit enables an attacker to leak sensitive information from MongoDB servers, such as user records, passwords, and API keys, directly from process memory.

“Although the attacker might need to send a large amount of requests to gather the full database, and some data might be meaningless, the more time an attacker has, the more information could be gathered,” OX Security added.

Cloud security company Wiz said CVE-2025-14847 is caused by a defect in the zlib-based network message decompression logic. It allows an unauthenticated attacker to send malformed, compressed network packets to trigger the bug and read uninitialized heap memory, without valid credentials or user interaction.

“The affected logic returned the allocated buffer size (output.length()) instead of the actual decompressed data length, allowing undersized or malformed payloads to expose adjacent heap memory,” security researchers Merav Bar and Amitai Cohen said. “Because the vulnerability is reachable prior to authentication and does not require user interaction, Internet-exposed MongoDB servers are particularly at risk.”

Attack surface data from Censys indicates there are more than 87,000 potentially vulnerable instances, primarily in the U.S., China, Germany, India, and France. Wiz observed that 42% of cloud environments contain at least one MongoDB instance running a version affected by CVE-2025-14847, spanning both internet-facing and internal services.

The exact TTPs used in observed exploitation are not yet public. Operators should upgrade to MongoDB versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30 as soon as possible. MongoDB Atlas has already been patched. The same vulnerability also impacts the Ubuntu rsync package, since it relies on zlib.

As interim mitigations, administrators can disable zlib compression on MongoDB Server by starting mongod or mongos with a networkMessageCompressors or net.compression.compressors configuration that omits zlib. Additional defensive steps include limiting network exposure of MongoDB servers and monitoring MongoDB logs for unusual pre-authentication connection patterns and spikes in malformed compressed requests.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.