Security

MongoBleed PoC Exposes 87,000+ Public MongoDB Instances

MongoBleed: 87K+ MongoDB Servers Exposed
MongoBleed Alert
  • Key Takeaways:
  • MongoBleed (CVE-2025-14847) is a high-severity, unauthenticated memory-disclosure bug in MongoDB’s zlib message decompression.
  • Censys identified more than 87,000 potentially vulnerable MongoDB instances exposed to the public internet.
  • A public PoC exploit by researcher Joe Desimone is available on GitHub; MongoDB has released patches — update immediately.

What is MongoBleed?

MongoBleed is an uninitialized memory disclosure in MongoDB Server’s zlib-based message decompression. The flaw allows a remote, unauthenticated requester to cause the server to return portions of heap memory when it processes a specially crafted packet.

Technical risk and CVSS

Tracked as CVE-2025-14847 with a CVSS score of 7.5, the issue resembles the old Heartbleed pattern: logic in decompression can return residual heap contents. Because heap memory can contain recent database artifacts, the exposed data may include cleartext credentials, session tokens, authentication keys, or customer PII.

Affected versions and scale of exposure

The vulnerability spans a broad range of releases, including recent and legacy builds. Affected versions reported include MongoDB 8.2.0–8.2.2, 8.0.0–8.0.16, 7.0.0–7.0.27, 6.0.0–6.0.26, 5.0.0–5.0.31, 4.4.0–4.4.29, and older 4.2/4.0/3.6 families.

Internet observability firm Censys found over 87,000 potentially vulnerable instances reachable on the public internet as of late December, magnifying the urgency for rapid remediation.

Proof-of-concept and threat implications

Researcher Joe Desimone published a public PoC exploit on GitHub. Public exploit code lowers the barrier for opportunistic attackers and is likely to increase scanning and data-scraping attempts against unpatched servers.

There were no confirmed widespread in-the-wild attacks at the time of disclosure, but the availability of PoC and the large exposed population create a high risk window.

MongoDB has issued fixes for the flaw. Administrators should upgrade to the patched releases or later: 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30.

Temporary mitigations

If you cannot patch immediately, disable zlib compression by removing it from networkMessageCompressors or net.compression.compressors. Also, restrict network access to database ports to trusted IPs or private networks.

Immediate checklist for admins

1) Inventory MongoDB instances and identify external-facing servers. 2) Apply vendor patches or upgrade to the versions listed above. 3) If urgent patching isn’t possible, disable zlib and lock down network access. 4) Review logs and recent activity for suspicious connections and consider rotating credentials and keys that may have been processed recently.

Given the scale of exposure and a public PoC, organizations should treat MongoBleed as a critical operational priority until all internet-reachable MongoDB services are confirmed patched or mitigated.

Read more