A critical vulnerability in MongoDB, dubbed MongoBleed (CVE-2025-14847), is currently being exploited in the wild.
The flaw allows unauthenticated remote attackers to leak sensitive server memory. As previously reported, the flaw was used against Ubisoft, forcing the gaming company to shut down Rainbow Six Siege servers and its in-game marketplace.
MongoDB is one of the most widely used NoSQL databases worldwide, supporting millions of deployments across startups, enterprises, and cloud-native platforms. It underpins numerous applications, including gaming platforms, finance apps, IoT devices, and analytics services.
MongoBleed was first disclosed publicly on December 24, 2025, with technical analysis by researchers from OX Security and Wiz.io. The vulnerability stems from incorrect length handling in MongoDB's message_compressor_zlib.cpp file, which is part of the server's network decompression layer using the zlib library.
When an attacker sends a maliciously crafted compressed message to a vulnerable MongoDB server, the server allocates a buffer based on a fake decompressed size and then mistakenly returns uninitialized heap memory. Since this behavior occurs before authentication, no credentials are needed to exploit it. Sensitive in-memory data, such as passwords, API keys, or internal logs, can be exfiltrated silently and at scale.
The flaw affects all supported and legacy MongoDB server versions from v3.6 through v8.2.2, including:
- MongoDB 8.2.0 – 8.2.2
- MongoDB 8.0.0 – 8.0.16
- MongoDB 7.0.0 – 7.0.27
- MongoDB 6.0.0 – 6.0.26
- MongoDB 5.0.0 – 5.0.31
- MongoDB 4.4.0 – 4.4.29
- All MongoDB 4.2, 4.0, and 3.6 versions
Patches have been released in versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30. MongoDB Atlas customers have already received updates, while self-managed deployments remain at risk.
The first public exploit for MongoBleed was published on December 25, 2025, by security researcher Joe Desimone. The proof-of-concept tool, available on GitHub, can leak memory from any exposed MongoDB instance simply by providing its IP address. The tool allows scanning memory regions at various offsets and can extract login credentials, secrets, and other sensitive data.
Exploitation was observed within 24 hours of the exploit's release. Notably, in the breach of Ubisoft's Rainbow Six Siege services on December 28, 2025, at least one attacker group is reported to have gained access via a misconfigured MongoDB instance vulnerable to CVE-2025-14847. From there, the attackers pivoted to internal systems, accessing source code repositories and backend tooling.
Ubisoft, a major publisher in the global gaming industry, relies on MongoDB for parts of its backend services, including those supporting Rainbow Six Siege, a competitive multiplayer shooter with an active esports ecosystem and millions of daily users.
Detection, remediation, and defense
Organizations running affected versions of MongoDB should upgrade immediately to patched releases. If upgrading is not feasible in the short term, administrators should disable zlib compression by launching MongoDB with the –networkMessageCompressors or net.compression.compressors option set to omit zlib. Acceptable alternatives include snappy, zstd, or full compression deactivation.
Internet-exposed MongoDB ports should be firewalled, and access restricted to trusted IP ranges or private networks. Security teams should review logs for suspicious activity, specifically, connection bursts without accompanying metadata.
Security researcher Florian Roth has released an open-source tool called mongobleed-detector. The script analyzes MongoDB logs for exploitation patterns: hundreds or thousands of short-lived connections from a single IP, each lacking client metadata. It works offline, supports .gz logs, and includes forensic capabilities for multi-host analysis.
The bar for exploitation is now low, requiring only basic scripting and public tools. With an estimated 200,000+ exposed MongoDB instances globally and 42% of cloud environments using vulnerable versions, the risk of large-scale exploitation remains high.
Leave a Reply