Category: Uncategorized

Dec 29, 2026Ravie LakshmananDatabase Security / Vulnerability

A recently disclosed security vulnerability in MongoDB has come under active exploitation in the wild, with over 87,000 potentially susceptible instances identified across the world.

The vulnerability in question is CVE-2025-14847 (CVSS score: 8.7), which allows an unauthenticated attacker to remotely leak sensitive data from the MongoDB server memory. It has been codenamed MongoBleed.

“A flaw in zlib compression allows attackers to trigger information leakage,” OX Security said. “By sending malformed network packets, an attacker can extract fragments of private data.”

The problem is rooted in MongoDB Server’s zlib message decompression implementation (“message_compressor_zlib.cpp”). It affects instances with zlib compression enabled, which is the default configuration. Successful exploitation of the shortcoming could allow an attacker to extract sensitive information from MongoDB servers, including user information, passwords, and API keys.

“Although the attacker might need to send a large amount of requests to gather the full database, and some data might be meaningless, the more time an attacker has, the more information could be gathered,” OX Security added.

Cloud security company Wiz said CVE-2025-14847 stems from a flaw in the zlib-based network message decompression logic, enabling an unauthenticated attacker to send malformed, compressed network packets to trigger the vulnerability and access uninitialized heap memory without valid credentials or user interaction.

“The affected logic returned the allocated buffer size (output.length()) instead of the actual decompressed data length, allowing undersized or malformed payloads to expose adjacent heap memory,” security researchers Merav Bar and Amitai Cohen said. “Because the vulnerability is reachable prior to authentication and does not require user interaction, Internet-exposed MongoDB servers are particularly at risk.”

Data from attack surface management company Censys shows that there are more than 87,000 potentially vulnerable instances, with a majority of them located in the U.S., China, Germany, India, and France. Wiz noted that 42% of cloud environments have at least one instance of MongoDB in a version vulnerable to CVE-2025-14847. This includes both internet-exposed and internal resources.

The exact details surrounding the nature of attacks exploiting the flaw are presently unknown. Users are advised to update to MongoDB versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30. Patches for MongoDB Atlas have been applied. It’s worth noting that the vulnerability also affects the Ubuntu rsync package, as it uses zlib.

As temporary workarounds, it’s recommended to disable zlib compression on the MongoDB Server by starting mongod or mongos with a networkMessageCompressors or a net.compression.compressors option that explicitly omits zlib. Other mitigations include restricting network exposure of MongoDB servers and monitoring MongoDB logs for anomalous pre-authentication connections.

Donald Trump and Volodymyr Zelensky said progress had been made to end the Ukraine war during Florida talks but the US leader added “one or two very thorny issues” remained.

While both the US and Ukrainian presidents described the talks as “great”, Trump reiterated that a key sticking point was the question of territory. Russia has previously demanded that Ukraine hand over more land.

Addressing reporters at Mar-a-Lago, Zelensky said they had come to an agreement on “90%” of a 20-point peace plan, while Trump said a security guarantee for Ukraine was “close to 95%” done.

Zelensky later said US and Ukrainian teams would meet next week for further talks on issues aimed at ending Russia’s nearly four-year war in Ukraine.

“We had a substantive conversation on all issues and highly value the progress that the Ukrainian and American teams have made over the past weeks,” Zelensky said in a statement on the Telegram messaging app.

Russia launched a full-scale invasion of Ukraine in February 2022, and Moscow currently controls about 20% of Ukrainian territory.

A proposal to turn the Donbas region in eastern Ukraine, which Russia largely controls, into a demilitarised zone remains “unresolved”, Trump said.

“Some of that land has been taken,” he told reporters after the meeting. “Some of that land is maybe up for grabs, but it may be taken over the next period of a number of months.”

Moscow currently controls about 75% of the Donetsk region, and some 99% of the neighbouring Luhansk. The regions are collectively known as Donbas.

Russia wants Ukraine to pull back from the small part of the territory it still controls in Donbas, while Kyiv has insisted the area could become a free economic zone policed by Ukrainian forces.

The US president has repeatedly changed his own position on Ukraine’s lost territories, and in September stunned observers by suggesting that Ukraine might be able to take it back. He later reversed course.

“[That] is a very tough issue,” he said. “One that will get resolved.”

Security guarantees for Ukraine are “95% done”, Trump said, without formally committing to logistical support or troop deployment to help protect Ukraine from future attacks.

Trump floated the possibility of trilateral talks between the US, Russia, and Ukraine, saying it could happen “at the right time”.

While the US president is keen to add the Ukraine-Russia war to the list of conflicts he claims to have ended, he cautioned that stalled or scrapped talks that go “really badly” could mean that the war continues.

Earlier Trump had a phone call with Russian President Vladimir Putin. While the US president did not offer many details of the phone call, he said he believed the Russian leader “wants Ukraine to succeed”.

At the same time, Trump acknowledged that Moscow had little interest in a ceasefire that would allow Ukraine to hold a referendum.

“I understand that position,” he added.

Russian foreign policy adviser Yuri Ushakov said the call was initiated by Trump and that he and Putin discussed the latest EU and Ukraine proposals to end the war.

Ushakov, Russia’s former US ambassador, said Trump listened to the Kremlin’s assessment of the proposals and the two presidents left the call united in their belief that a temporary ceasefire proposed by the EU and Ukraine would instead prolong the conflict.

Zelensky suggested the Ukrainian officials could meet at the White House in January, potentially alongside European leaders, as the US and Ukrainian delegations finalise plans for further talks.

In a post-meeting call with European allies, European Commission President Ursula von der Leyen hailed “good progress” in the Florida talks while reinforcing the need for Ukraine to receive “ironclad security guarantees from day one”.

French President Emmanuel Macron also said Kyiv’s allies would meet in Paris next month to discuss security guarantees.

“We will bring together the countries of the Coalition of the Willing in Paris in early January to finalise each one’s concrete contributions,” Macron said on X after speaking with Zelensky and Trump.