Mongobleed: Critical Unauthenticated Memory Disclosure Vulnerability in MongoDB via zlib Compression
A critical unauthenticated vulnerability (CVE-2025-14847) has been discovered in MongoDB Server, specifically related to the handling of zlib-compressed network traffic. This flaw allows remote attackers with network access to a MongoDB instance configured with compression enabled to trigger the server into returning uninitialized heap memory in its responses. The leaked memory may contain sensitive data, including fragments of previously processed information, internal state, or confidential values, and no authentication is required to exploit this issue.
The vulnerability affects a wide range of MongoDB versions, including 3.6.x through 8.2.x, with patches available in versions 4.4.30, 5.0.32, 6.0.27, 7.0.28, 8.0.17, and 8.2.3. The root cause lies in the way MongoDB processes malformed zlib-compressed frames, leading to a length mismatch during decompression and the inadvertent inclusion of uninitialized memory in server responses. Given MongoDB's prevalence in cloud environments and its frequent exposure to the internet, this vulnerability poses a significant risk to organizations relying on the database for sensitive data storage and application backends.
Timeline
Jan 5, 2026
Researchers report a GUI-based MongoBleed exploitation tool
By early January, researchers reported the emergence of a GUI-based exploitation tool for MongoBleed, reducing the technical skill needed to abuse the flaw. The development suggested continued commoditization of exploitation after the initial PoC release.
Jan 2, 2026
Rapid7 updates Metasploit module with faster MongoBleed checks
Rapid7 updated its Metasploit support for CVE-2025-14847 with a CHECK action, compression pre-flight checks, improved leak extraction, and JSON export. The enhancements enabled faster and more automated assessment of MongoDB targets.
Dec 30, 2025
Reports link MongoBleed exploitation to Ubisoft's Rainbow Six Siege
Multiple reports claimed MongoBleed was used against Ubisoft infrastructure tied to Rainbow Six Siege, causing manipulation of game servers and in-game assets. The claim was presented as an early high-profile victim example, though some reporting described it as unverified.
Dec 30, 2025
Metasploit module for MongoBleed scanning is published
A Metasploit auxiliary scanner module for CVE-2025-14847 was published, further lowering the barrier to test and identify vulnerable MongoDB servers. The release added another widely used offensive and defensive tool for validating exposure.
Dec 29, 2025
U.S. and Australian cyber agencies confirm global exploitation
Government cyber agencies in the United States and Australia publicly warned that MongoBleed was being exploited globally. Their statements reinforced that exploitation was opportunistic and widespread rather than limited to isolated incidents.
Dec 29, 2025
CISA adds CVE-2025-14847 to the KEV catalog
CISA added MongoDB CVE-2025-14847 to its Known Exploited Vulnerabilities catalog because of evidence of active exploitation. The agency required U.S. federal civilian agencies to remediate the issue by the published deadline and urged all organizations to prioritize patching.
Dec 29, 2025
MongoBleed detector tools are released for incident response
Open-source detector tools and artifacts were published to help organizations identify signs of MongoBleed exploitation in MongoDB logs. These tools focused on suspicious pre-authentication connection patterns and malformed compressed traffic associated with the exploit.
Dec 28, 2025
Active exploitation of MongoBleed is reported in the wild
Security vendors and media began reporting that CVE-2025-14847 was being actively exploited against exposed MongoDB servers shortly after PoC publication. Reports said attackers were harvesting sensitive in-memory data such as credentials, API keys, and tokens from vulnerable systems.
Dec 27, 2025
Researchers estimate over 87,000 internet-exposed MongoDB instances are vulnerable
Internet-wide exposure analysis reported that more than 87,000 publicly reachable MongoDB instances appeared potentially vulnerable to MongoBleed. The estimate highlighted the large attack surface and urgency of patching exposed self-managed deployments.
Dec 27, 2025
Detection content and scanner templates for MongoBleed are published
Researchers and tool authors released detection resources for CVE-2025-14847, including a Nuclei template and log-based hunting guidance to identify vulnerable or exploited MongoDB servers. These technical details expanded defenders' ability to scan for exposure and investigate compromise.
Dec 26, 2025
Public proof-of-concept exploit for MongoBleed is released
A public proof-of-concept exploit for CVE-2025-14847, later dubbed MongoBleed, was published on GitHub, making exploitation easier for attackers and defenders to validate exposure. Multiple later reports cite the PoC release as a key turning point in risk escalation.
Dec 19, 2025
MongoDB discloses CVE-2025-14847 and releases patches
MongoDB disclosed CVE-2025-14847, a pre-authentication zlib-related memory disclosure flaw in MongoDB Server, and released fixed versions for supported branches. The company advised customers to upgrade immediately or disable zlib compression as a temporary mitigation.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Malware
Organizations
Sources
5 more from sources like osint team blog, metasploit pull requests, cyber security news, securityaffairs and github.com
Related Stories
MongoBleed Vulnerability in MongoDB and Its Exploitation Impact
A critical vulnerability, CVE-2025-14847, known as MongoBleed, has been discovered in MongoDB, allowing unauthenticated remote attackers to read uninitialized heap memory from affected servers when zlib compression is enabled. This flaw exposes sensitive in-memory data such as credentials, session tokens, and application secrets, and is present across a wide range of MongoDB versions. The vulnerability is actively being exploited, with CISA adding it to the Known Exploited Vulnerabilities (KEV) catalog and warning that over 80,000 servers are at risk. The attack requires no authentication or user interaction, making it a high-severity issue for organizations using MongoDB in cloud, SaaS, and enterprise environments. The MongoBleed vulnerability has reportedly been linked to a major breach in Ubisoft's Rainbow Six Siege, where attackers exploited the flaw to manipulate in-game assets, resulting in the unauthorized distribution of billions of in-game credits and random moderation actions. Ubisoft responded by shutting down game servers and rolling back transactions, though the company has not officially confirmed MongoBleed as the root cause. The incident highlights the real-world impact of MongoDB vulnerabilities on high-profile applications and underscores the urgent need for organizations to apply mitigations and monitor for exploitation attempts.
1 months ago
Critical MongoDB and Redis Flaws Expose Data and Enable Remote Code Execution
Security advisories warned of two severe database software vulnerabilities with immediate internet-facing risk. In MongoDB, an unauthenticated network attacker can trigger an information disclosure flaw—described in some reporting as **MongoBleed**—to make a vulnerable server return sensitive data such as credentials, secrets, and personal information. The issue affects MongoDB releases dating back to about 2017 and stems from insufficient validation in the `zlib` implementation, which can leak uninitialized heap memory allocated to MongoDB. Working exploitation methods are known, and defenders were told to watch for large volumes of malformed or compressed requests, decompression or memory-handling errors, and repeated unauthenticated connections. Patches are available in versions `8.2.3`, `8.0.17`, `7.0.28`, `6.0.27`, `5.0.32`, and `4.4.30`, while end-of-life branches remain unpatched. A separate advisory disclosed a **critical Redis vulnerability** affecting `8.2.1` and earlier when Lua scripting is enabled, which is the default configuration. The flaw is a use-after-free condition that can be triggered by a specially crafted Lua script and may allow **remote arbitrary code execution**, giving an attacker full control of the host running Redis. Officials urged immediate upgrades because the vulnerability is publicly known and exploitation could begin within hours, and they advised organizations to inspect any previously exposed Redis environments for signs of compromise. Fixed versions were listed as `6.2.20`, `7.2.11`, `7.4.6`, `8.0.4`, and `8.2.2`, alongside renewed guidance that Redis instances should not be exposed directly to the public internet.
1 weeks ago
MongoBleed Vulnerability in MongoDB Exploited Against Ubisoft's Rainbow Six Siege
A critical vulnerability in MongoDB, identified as CVE-2025-14847 and dubbed 'MongoBleed,' has been publicly disclosed, with a proof-of-concept (PoC) exploit released. The flaw resides in MongoDB's use of the `zlib` compression library, allowing unauthenticated attackers to send specially crafted messages that cause the server to leak fragments of its internal memory. This memory leak can expose sensitive data such as clear-text passwords, login keys, personal information, and security tokens, all without requiring authentication. The impact of this vulnerability became immediately apparent when Ubisoft was forced to shut down its popular game, Rainbow Six Siege, after attackers exploited MongoBleed to compromise player accounts and internal systems. Thousands of gamers were locked out as a result, highlighting the real-world risks posed by the flaw. Security researchers have confirmed that multiple hacker groups are actively leveraging the PoC to target organizations using vulnerable MongoDB instances, emphasizing the urgent need for patching and mitigation.
1 months ago