A proof-of-concept is now available on the internet:
MongoBleed, a high-severity vulnerability plaguing multiple versions of MongoDB, can now easily be exploited since a proof-of-concept (PoC) is now available on the web.
Earlier this week, security researcher Joe Desimone published code that exploits a "read of uninitialized heap memory" vulnerability tracked as CVE-2025-14847. This vulnerability, rated 8.7/10 (high), stems from "mismatched length fields in Zlib compressed protocol headers".
By sending a poisoned message claiming a larger size when decompressed, the attacker can cause the server to allocate a bigger memory buffer, through which they would leak in-memory data containing sensitive information, such as credentials, cloud keys, session tokens, API keys, configurations, and other data.
What's more - the attackers exploiting MongoBleed do not need valid credentials to pull the attack off.
In its writeup, BleepingComputer confirms that there are roughly 87,000 potentially vulnerable instances exposed on the public internet, as per data from Censys. The majority are located in the United States (20,000), with notable instances in China (17,000), and Germany (around 8,000).
Here is a list of all the vulnerable versions:
- MongoDB 8.2.0 through 8.2.3
- MongoDB 8.0.0 through 8.0.16
- MongoDB 7.0.0 through 7.0.26
- MongoDB 6.0.0 through 6.0.26
- MongoDB 5.0.0 through 5.0.31
- MongoDB 4.4.0 through 4.4.29
- All MongoDB Server v4.2 versions
- All MongoDB Server v4.0 versions
- All MongoDB Server v3.6 versions
If you are running any of the above, make sure to patch up - a fix for self-hosting instances has been available since December 19. Users running MongoDB Atlas don't need to do anything, since their instances were automatically patched.
So far, there are no confirmed reports of in-the-wild abuse, although some researchers are linking MongoBleed to the recent Ubisoft Rainbow Six Siege breach.
(Score: 1, Funny) by VLM on Saturday January 03, @04:03PM (1 child)
Nothing EVER changes it sounds like MSSQL Slammer. I was working that day, about 30 years ago, and it was interesting to watch ethernet ports go to line rate. I assume the new worm architecture is smart enough to not port scan the entire internet at line rate LOL.
Nice to see nothing has improved or changed in cybersecurity in the last three decades. "I'll give the entire internet access to my database port, what could possibly go wrong?"
(Score: 2) by driverless on Sunday January 04, @08:58AM
Yeah but this one is a web scale vulnerability [youtube.com]!
(Score: 1, Informative) by VLM on Saturday January 03, @04:10PM
Here's a URL I spent a lot of time at. Still visit occasionally:
https://go.dev/wiki/GoForCPPProgrammers [go.dev]
"Go has a builtin function new which takes a type and allocates space on the heap. The allocated space will be zero-initialized for the type."
LOL so we know mongo isn't written in Golang then ha ha. I "know" mongo has lots of languages in its innards but its mostly C++ isn't it?
"The next language" as a topic is interesting, it seems to be self sorting that the really toxic people all go into rust leaving us with golang having a pretty nice community and rust being ... uh very mixed, but rust has got ALL the bad actors in it mixed in with some OK peeps. I don't know how golang filtered them all, but its impressive.