CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

High-Severity Memory-Read Flaw in MongoDB Requires Immediate Patching

First reported
Last updated
2 unique sources, 6 articles

Summary

Hide ▲

MongoDB has disclosed a high-severity flaw (CVE-2025-14847) affecting multiple versions of its database software. The vulnerability, dubbed MongoBleed, allows unauthenticated attackers to read uninitialized heap memory and extract sensitive data due to improper handling of length parameter inconsistencies in the zlib compression implementation. Over 87,000 MongoDB servers are exposed on the public internet, with active exploitation observed in the wild. Admins are urged to upgrade to patched versions immediately or disable zlib compression as a temporary mitigation. The flaw has not been officially classified as an RCE, but it poses significant risks. The U.S. CISA has ordered federal agencies to patch the MongoBleed flaw within three weeks, by January 19, 2026, confirming its active exploitation in attacks. The vulnerability affects MongoDB Server's zlib message decompression implementation, allowing attackers to trigger information leakage by sending malformed network packets. The flaw is reachable prior to authentication and does not require user interaction, making Internet-exposed MongoDB servers particularly at risk. The exact details surrounding the nature of attacks exploiting the flaw are presently unknown, and the vulnerability also affects the Ubuntu rsync package, as it uses zlib.

Timeline

  1. 30.12.2025 16:40 1 articles · 23h ago

    CISA Orders Federal Agencies to Patch MongoBleed Flaw

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch the MongoBleed flaw (CVE-2025-14847) within three weeks, by January 19, 2026. The article highlights the significant impact of the vulnerability, with over 87,000 potentially vulnerable MongoDB instances identified. It emphasizes the importance of patching or disabling zlib compression as a temporary mitigation and mentions the availability of a MongoBleed Detector tool for identifying potential exploitation.

    Show sources
    Open in new tab
  2. 28.12.2025 22:38 3 articles · 2d ago

    MongoBleed Exploitation in the Wild

    The article confirms that the MongoBleed vulnerability (CVE-2025-14847) is being actively exploited in the wild, with over 74,000 potentially vulnerable instances identified by Shadowserver and over 87,000 IP addresses tracked by Censys. It provides additional context on the nature of the exploitation and the significant risk to Internet-exposed MongoDB servers. The article also mentions the release of a proof-of-concept (PoC) exploit by Elastic security researcher Joe Desimone and the availability of a MongoBleed Detector tool for identifying potential exploitation.

    Show sources
    Open in new tab
  3. 24.12.2025 16:18 6 articles · 7d ago

    MongoDB Warns of High-Severity RCE Flaw (CVE-2025-14847)

    The article provides additional technical details about the MongoBleed vulnerability (CVE-2025-14847), including its root cause in the zlib message decompression implementation. It highlights the flaw's ability to trigger information leakage by sending malformed network packets and the specific logic that allows undersized or malformed payloads to expose adjacent heap memory. The article also emphasizes the vulnerability's reachability prior to authentication and the significant risk to Internet-exposed MongoDB servers. It notes that the exact details of attacks exploiting the flaw are unknown and that the vulnerability also affects the Ubuntu rsync package. Additionally, the article confirms that the U.S. CISA has ordered federal agencies to patch the MongoBleed flaw within three weeks, by January 19, 2026, confirming its active exploitation in attacks.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

MongoBleed Vulnerability Actively Exploited in the Wild

A newly disclosed security vulnerability in MongoDB, codenamed MongoBleed (CVE-2025-14847), is being actively exploited in the wild. The flaw allows unauthenticated attackers to remotely leak sensitive data from MongoDB server memory. Over 87,000 potentially susceptible instances have been identified globally, with a majority located in the U.S., China, Germany, India, and France. Users are advised to update to the latest versions of MongoDB to mitigate the risk. The vulnerability has a CVSS score of 8.7 and affects multiple versions of MongoDB. Wiz reported that 42% of cloud environments have at least one instance of MongoDB vulnerable to this flaw.

Open in new tab

LangChain Core Serialization Injection Vulnerability (CVE-2025-68664)

A critical serialization injection vulnerability in LangChain Core (CVE-2025-68664) allows attackers to steal secrets and manipulate LLM responses. The flaw, dubbed LangGrinch, arises from improper escaping of dictionaries with 'lc' keys during serialization. The vulnerability affects multiple versions of LangChain Core and LangChain.js, with patches available. The issue enables secret extraction from environment variables, instantiation of classes in trusted namespaces, and potential arbitrary code execution via Jinja2 templates. The patch introduces restrictive defaults and blocks Jinja2 templates by default. The most common attack vector is through LLM response fields like additional_kwargs or response_metadata, which can be controlled via prompt injection and then serialized/deserialized in streaming operations.

Open in new tab

FreePBX Patches Critical SQLi, File-Upload, and AUTHTYPE Bypass Flaws

Multiple critical vulnerabilities in FreePBX, including SQL injection, arbitrary file upload, and authentication bypass flaws, have been patched. These flaws could lead to remote code execution (RCE) under certain configurations. The vulnerabilities were discovered by Horizon3.ai and reported to the project maintainers on September 15, 2025. Patches were released in October and December 2025.

Open in new tab

Active Exploitation of Gogs Zero-Day Vulnerability

A high-severity zero-day vulnerability (CVE-2025-8110, CVSS 8.7) in Gogs, a self-hosted Git service, is being actively exploited across over 700 internet-accessible instances. The flaw allows arbitrary code execution by bypassing a previously patched remote code execution vulnerability (CVE-2024-55947). The attacks involve deploying malware based on the Supershell C2 framework, linked to Chinese hacking groups. The vulnerability stems from a path traversal weakness in the PutContents API, enabling attackers to overwrite sensitive files and execute arbitrary commands. The attacks appear to be part of a 'smash-and-grab' campaign, with repositories left behind on compromised systems. As of now, there is no patch available for CVE-2025-8110, and users are advised to disable open registration, limit internet exposure, and scan for suspicious repositories. A second wave of attacks was observed on November 1, 2025, and the malware communicates with a command-and-control server at 119.45.176[.]196.

Open in new tab

Critical Vulnerabilities in Fluent Bit Logging Agent

Critical vulnerabilities in Fluent Bit, a widely used telemetry agent, have been disclosed. These flaws affect log, metric, and trace handling across banking, cloud, and SaaS platforms. The issues include improper input validation, path traversal bugs, and authentication bypasses, allowing attackers to manipulate logs, overwrite files, and execute code. Patches are available in versions v4.1.1 and v4.0.12, but older versions remain at risk. The vulnerabilities could distort observability pipelines, impacting financial services, security products, and SaaS environments. Immediate patching and configuration hardening are recommended. AWS has urged customers to update to the latest version of Fluent Bit for optimal protection. The flaws could enable attackers to disrupt cloud services, manipulate data, and burrow deeper into cloud and Kubernetes infrastructure.

Open in new tab