Cybersecurity authorities in the U.S. and Australia are warning that a critical vulnerability in MongoDB and MongoDB Server is being actively exploited in the wild and represents a threat for organizations that run exposed database infrastructure.

The vulnerability, tracked as CVE-2025-14847 and dubbed “MongoBleed,” is described by the U.S. Cybersecurity & Infrastructure Agency as an improper handling of length parameter inconsistency vulnerability. As part of its warning, CISA is mandating all federal civilian agencies to apply patches by Jan. 19. The Australian Signals Directorate similarly warned that it is aware of active global exploitation of this vulnerability.

The MangoBleed vulnerability stems from how MongoDB Server handles zlib-compressed network messages. A flaw in MongoDB’s decompression logic can cause the database to return uninitialized heap memory to remote clients before authentication occurs.

The vulnerability allows unauthenticated attackers with network access to the MongoDB port to repeatedly probe the server and aggregate leaked memory fragments, potentially exposing credentials, session keys, internal state and other sensitive data.

According to network security company Tenable Holdings Inc., proof-of-concept exploit code was published publicly on GitHub on Dec. 25 and within days, security researchers detected automated scanning and exploitation attempts targeting vulnerable instances. Analysis indicates that tens of thousands of MongoDB deployments remain reachable on the internet and susceptible to attack, many with zlib compression enabled, a common default configuration.

The scale of exposure is significant. Scanning services have identified around 87,000 potentially vulnerable MongoDB instances worldwide and cloud security telemetry suggests that a large portion of cloud environments host at least one affected database.

MongoDB has released patches addressing the flaw across supported versions and defenders are being urged to upgrade immediately. If an organization is unable to patch immediately, recommended mitigation steps include disabling zlib compression and restricting network access to trusted hosts.

Dan Andrew, head of security at cloud-based vulnerability scanning company Intruder Systems Ltd., told SiliconANGLE via email that “this is a serious vulnerability that allows an unauthenticated remote attacker to retrieve information from MongoDB’s memory. A proof of concept is available to the public.”

“Similar to other heap disclosure vulnerabilities such as Heartbleed, the impact of exploitation will vary depending on the information an attacker is able to obtain from the heap,” said Andrew. “However, it is quite likely that the leaked memory will contain credentials or other sensitive information, especially as attackers learn more about the vulnerability and use it more effectively.”

Regardless of patch status, he advised that MongoDB should not be exposed to the internet and access should be restricted by a firewall or similar controls. “You should also apply the patch as soon as possible to avoid the vulnerability being exploited internally,” he added.

Image: SiliconANGLE/Ideogram