Critical MongoDB and Redis Flaws Expose Data and Enable Remote Code Execution
Security advisories warned of two severe database software vulnerabilities with immediate internet-facing risk. In MongoDB, an unauthenticated network attacker can trigger an information disclosure flaw—described in some reporting as MongoBleed—to make a vulnerable server return sensitive data such as credentials, secrets, and personal information. The issue affects MongoDB releases dating back to about 2017 and stems from insufficient validation in the zlib implementation, which can leak uninitialized heap memory allocated to MongoDB. Working exploitation methods are known, and defenders were told to watch for large volumes of malformed or compressed requests, decompression or memory-handling errors, and repeated unauthenticated connections. Patches are available in versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30, while end-of-life branches remain unpatched.
A separate advisory disclosed a critical Redis vulnerability affecting 8.2.1 and earlier when Lua scripting is enabled, which is the default configuration. The flaw is a use-after-free condition that can be triggered by a specially crafted Lua script and may allow remote arbitrary code execution, giving an attacker full control of the host running Redis. Officials urged immediate upgrades because the vulnerability is publicly known and exploitation could begin within hours, and they advised organizations to inspect any previously exposed Redis environments for signs of compromise. Fixed versions were listed as 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2, alongside renewed guidance that Redis instances should not be exposed directly to the public internet.
Timeline
Mar 11, 2026
Redis releases patched versions for critical RCE risk
Redis published fixed versions 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2 for the Lua scripting vulnerability. Guidance also reiterated that Redis instances should not be exposed directly to the public internet and that previously exposed systems should be checked for compromise.
Mar 11, 2026
Critical Redis Lua scripting vulnerability becomes publicly known
A critical use-after-free vulnerability in Redis affecting version 8.2.1 and earlier was disclosed, impacting deployments with Lua scripting enabled by default. The flaw can potentially allow remote arbitrary code execution over the network, and defenders were warned that exploitation could begin within hours.
Jan 2, 2026
MongoDB fixes released for information disclosure vulnerability
MongoDB released patched versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30 to address the information disclosure flaw, while end-of-life versions remain without fixes. Finland's NCSC published an alert describing exploitation indicators such as malformed or zlib-compressed requests and repeated unauthenticated connections.
Jan 1, 2017
MongoDB information disclosure flaw affects versions released since 2017
A MongoDB vulnerability caused by insufficient validation in zlib can let an unauthenticated network attacker retrieve sensitive data such as credentials, secrets, and personal data from vulnerable servers. The issue affects all MongoDB versions released since approximately 2017, with working exploitation methods reported.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Critical Remote Code Execution Vulnerability in Redis via Lua Use-After-Free (CVE-2025-49844)
A critical security vulnerability, tracked as CVE-2025-49844, has been identified in Redis, an open-source, in-memory database widely used for caching and data storage. The flaw is rated with a CVSS score of 10.0, indicating maximum severity and potential for significant impact. This vulnerability arises from a use-after-free condition in the Lua scripting engine of Redis, which can be exploited by an authenticated user. By crafting a malicious Lua script, an attacker can manipulate the garbage collector within Redis, triggering the use-after-free bug. Successful exploitation of this flaw allows remote code execution on the affected Redis server, granting attackers the ability to run arbitrary code with the privileges of the Redis process. All Redis versions up to and including 8.2.1 are affected by this vulnerability, as they include the vulnerable Lua scripting functionality. The issue has been addressed in Redis version 8.2.2, which contains the necessary patch to remediate the flaw. As an immediate mitigation for organizations unable to upgrade, Redis administrators are advised to restrict the execution of Lua scripts by disabling the EVAL and EVALSHA commands through Access Control Lists (ACLs). The vulnerability requires authentication, but in environments where Redis is exposed to untrusted users or where credentials are weak, the risk of exploitation is heightened. Security advisories recommend prompt patching and review of user permissions to minimize exposure. The flaw was publicly disclosed in early October 2025, and security researchers have emphasized the critical nature of the bug due to its potential for remote exploitation. No specific products beyond Redis itself have been listed as affected, but any deployment using vulnerable versions is at risk. The vulnerability has been confirmed to be remotely exploitable, making it a high-priority issue for organizations relying on Redis for critical infrastructure. The security community has highlighted the importance of monitoring for suspicious Lua script activity as an additional detection measure. Redis users are urged to consult official advisories and update their systems as soon as possible to prevent compromise. The disclosure underscores the ongoing risks associated with embedded scripting engines in widely deployed software. Organizations should also review their network exposure and ensure Redis instances are not accessible from untrusted networks. The incident serves as a reminder of the importance of timely patch management and the need for defense-in-depth strategies in database deployments.
1 months ago
MongoBleed Vulnerability in MongoDB and Its Exploitation Impact
A critical vulnerability, CVE-2025-14847, known as MongoBleed, has been discovered in MongoDB, allowing unauthenticated remote attackers to read uninitialized heap memory from affected servers when zlib compression is enabled. This flaw exposes sensitive in-memory data such as credentials, session tokens, and application secrets, and is present across a wide range of MongoDB versions. The vulnerability is actively being exploited, with CISA adding it to the Known Exploited Vulnerabilities (KEV) catalog and warning that over 80,000 servers are at risk. The attack requires no authentication or user interaction, making it a high-severity issue for organizations using MongoDB in cloud, SaaS, and enterprise environments. The MongoBleed vulnerability has reportedly been linked to a major breach in Ubisoft's Rainbow Six Siege, where attackers exploited the flaw to manipulate in-game assets, resulting in the unauthorized distribution of billions of in-game credits and random moderation actions. Ubisoft responded by shutting down game servers and rolling back transactions, though the company has not officially confirmed MongoBleed as the root cause. The incident highlights the real-world impact of MongoDB vulnerabilities on high-profile applications and underscores the urgent need for organizations to apply mitigations and monitor for exploitation attempts.
1 months ago
Mongobleed: Critical Unauthenticated Memory Disclosure Vulnerability in MongoDB via zlib Compression
A critical unauthenticated vulnerability (CVE-2025-14847) has been discovered in MongoDB Server, specifically related to the handling of zlib-compressed network traffic. This flaw allows remote attackers with network access to a MongoDB instance configured with compression enabled to trigger the server into returning uninitialized heap memory in its responses. The leaked memory may contain sensitive data, including fragments of previously processed information, internal state, or confidential values, and no authentication is required to exploit this issue. The vulnerability affects a wide range of MongoDB versions, including 3.6.x through 8.2.x, with patches available in versions 4.4.30, 5.0.32, 6.0.27, 7.0.28, 8.0.17, and 8.2.3. The root cause lies in the way MongoDB processes malformed zlib-compressed frames, leading to a length mismatch during decompression and the inadvertent inclusion of uninitialized memory in server responses. Given MongoDB's prevalence in cloud environments and its frequent exposure to the internet, this vulnerability poses a significant risk to organizations relying on the database for sensitive data storage and application backends.
3 months ago