A high-severity vulnerability in MongoDB that can allow unauthenticated remote hackers to leak sensitive information from MongoDB servers is being exploited in the wild, days after a proof-of-concept (PoC) and technical details were published.

According to security researchers with several vendors, the security flaw – dubbed MongoBleed and tracked as CVE-2025-14847 – is found in the zlib-based network message decompression logic in the popular open NoSQL database. The remote attacker can exploit the flaw because the network message decompression logic is processed before authentication is necessary, according to threat intelligence researchers with Wiz.

“By sending malformed, compressed network packets, an unauthenticated attacker can trigger the server to mishandle decompressed message lengths, resulting in uninitialized heap memory being returned to the client,” the Wiz researchers wrote in a report over the weekend. “This allows attackers to remotely leak fragments of sensitive in-memory data without valid credentials or user interaction.”

The attacker can send the payload without authentication because the vulnerability, which has a severity score of 8.7, is exploited at the network level, researchers with Ox Security wrote on Christmas Eve.

“Any server with a publicly exposed MongoDB port for MongoDB servers within the affected versions list, and also private servers where attackers might reach through lateral movement,” the Ox Security researchers wrote. “Attackers can exploit this to extract sensitive information from MongoDB servers, including user information, passwords, API keys and more. Although the attacker might need to send a large amount of requests to gather the full database, and some data might be meaningless, the more time an attacker has, the more information can be gathered.”

Patches Released

MongoDB released patches on December 19 for the flaw, which affects multiple current and older versions of MongoDB servers from v3.6 to v8.2.2. MongoDB urged organizations to immediately apply the fixes, or if that’s not possible, to disable zlib compression on the MongoDB Server. Days after the patches were released, Ox Security published technical details about MongoBleed.

Organizations that use MongoDB Atlas, a fully managed cloud database service, are protected because a patch was applied automatically.

According to Wiz researchers, “at a code level, the vulnerability was caused by incorrect length handling in message_compressor_zlib.cpp. The affected logic returned the allocated buffer size (output.length()) instead of the actual decompressed data length, allowing undersized or malformed payloads to expose adjacent heap memory.”

They noted that the same vulnerability affects Ubuntu’s rsync package as well because it also uses zlib. However, no exploitation details for rsync have been published.

PoC Exploit, Details Released

Soon after Ox Security released its report that included the technical details, Joe Desimone, a researcher with Elastic Security, released a PoC exploit and made it available on GitHub.

Security researcher Kevin Beaumont criticized the posting of the PoC exploit and publishing of the technical details, adding that “because of how simple this is now to exploit — the bar is removed — expect high likelihood of mass exploitation and related security incidents. The exploit author has provided no details on how to detect exploitation in logs via products like … Elastic.”

Beaumont wrote that he validated that the exploit is released.

“You can just supply an IP address of a MongoDB instance and it’ll start ferreting out in memory things such as database passwords (which are plain text), AWS secret keys etc.,” he wrote. “The exploit specifically looks for those classes of credentials and secrets, too.”

MongoDB a Popular Database

An aggravating issue the popularity of the MongoDB database. According to DB-Engines, MongoDB is the fifth-most popular database management system, behind Oracle, MySQL, Microsoft SQL Server, and PostgreSQL.

Researchers with Aikido Security outlined why MongoBleed is such a dangerous flaw, pointing out that no authentication or user interaction is required, it’s a relatively easy vulnerability to exploit, and that the attack surface is all network-exposed MongoDB instances.

“Even partial memory disclosure can reveal sensitive application data, expose internal server state, and assist attackers in lateral movement,” they wrote.

Estimates of the number of vulnerable MongoDB instances vary, with Censys saying that more than 87,000 were exposed to the public internet. Beaumont noted more than 200,000 instances of MongoDB.

Ubisoft Targeted

Ubisoft reportedly became one of the first victims of MongoBleed, with reports from multiple players of the company’s Rainbow Six Siege game of hackers who breached its internal servers, banning players, granting huge amounts of in-game currency – giving players 2 billion in premium R6 credits and Renown – and manipulating in-game moderation feeds.

According to BleepingComputer, the company, on December 27, on the Rainbow Six Siege X account confirmed an incident and later shut down the game and its in-game marketplace.