惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
C
CXSECURITY Database RSS Feed - CXSecurity.com
L
LINUX DO - 热门话题
S
Secure Thoughts
TaoSecurity Blog
TaoSecurity Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
T
Threat Research - Cisco Blogs
AI
AI
B
Blog RSS Feed
S
Schneier on Security
雷峰网
雷峰网
Schneier on Security
Schneier on Security
Help Net Security
Help Net Security
Cloudbric
Cloudbric
L
LINUX DO - 最新话题
罗磊的独立博客
有赞技术团队
有赞技术团队
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Apple Machine Learning Research
Apple Machine Learning Research
P
Proofpoint News Feed
酷 壳 – CoolShell
酷 壳 – CoolShell
The Hacker News
The Hacker News
博客园 - Franky
Attack and Defense Labs
Attack and Defense Labs
The Cloudflare Blog
Webroot Blog
Webroot Blog
Last Week in AI
Last Week in AI
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
博客园 - 叶小钗
美团技术团队
L
Lohrmann on Cybersecurity
T
The Blog of Author Tim Ferriss
The Last Watchdog
The Last Watchdog
T
Troy Hunt's Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Vercel News
Vercel News
Know Your Adversary
Know Your Adversary
O
OpenAI News
博客园 - 【当耐特】
Hacker News - Newest:
Hacker News - Newest: "LLM"
C
Cybersecurity and Infrastructure Security Agency CISA
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
www.infosecurity-magazine.com
www.infosecurity-magazine.com
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
PCI Perspectives
PCI Perspectives
H
Heimdal Security Blog
I
InfoQ
GbyAI
GbyAI
T
Threatpost
C
Cisco Blogs

Aikido Security's Blog

Axios CVE-2026-40175: a critical bug that’s… not exploitable GlassWorm goes native: New Zig dropper infects every IDE on your machine Aikido Attack finds multiple 0-days in Hoppscotch The cybersecurity doomerism around Mythos doesn't match what we see on the ground axios compromised on npm: maintainer account hijacked, RAT deployed Popular telnyx package compromised on PyPI by TeamPCP Aikido × Lovable: Vibe, Fix, Ship CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran TeamPCP deploys CanisterWorm on NPM following Trivy compromise Security testing is validating software that no longer exists Aikido Recognized by Frost & Sullivan with the 2026 Customer Value Leadership Award in ASPM GlassWorm Hides a RAT Inside a Malicious Chrome Extension fast-draft Open VSX Extension Compromised by BlokTrooper Glassworm Strikes Popular React Native Phone Number Packages Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories How Security Teams Fight Back Against AI-Powered Hackers Introducing Betterleaks, an open source secrets scanner by the author of Gitleaks Trump’s 2026 cybersecurity strategy: From compliance to consequence How does AI pentesting work with compliance? What continuous pentesting actually requires Rare Not Random: Using Token Efficiency for Secrets Scanning Persistent XSS/RCE using WebSockets in Storybook’s dev server Why Determinism Is Still a Necessity in Security WAF vs. RASP vs. ADR Introducing Aikido Infinite: A new model of self-securing software How Aikido secures AI pentesting agents by design Astro Full-Read SSRF via Host Header Injection How to Get Your Board to Care About Security (Before a Breach Forces the Issue) What is Slopsquatting? The AI Package Hallucination Attack Already Happening SvelteSpill: A Cache Deception Bug in SvelteKit + Vercel Top 6 Wiz Code Alternatives Aikido recognized as Platform Leader in Latio Tech's 2026 Application Security Report From detection to prevention: How Zen stops IDOR vulnerabilities at runtime npm backdoor lets hackers hijack gambling outcomes Introducing Upgrade Impact Analysis: When breaking changes actually matter to your code Why Trying to Secure OpenClaw is Ridiculous Claude Opus 4.6 found 500 vulnerabilities. What does this change for software security? Introducing Aikido Expansion Packs: Safer defaults inside the IDE International AI Safety Report 2026: What It Means for Autonomous AI Systems Self-Securing Software: What It Is, Why It Matters, and How It Works npx Confusion: Packages That Forgot to Claim Their Own Name What Is Continuous Pentesting? Introducing Aikido Package Health: a Better Way to Trust Your Dependencies AI Pentesting: Minimum Safety Requirements for Security Testing Secure SDLC for Engineering Teams (+ Checklist) Fake Clawdbot VS Code Extension Installs ScreenConnect RAT G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT Top 10 AI Security Tools For 2026 Agent Skills Are Spreading Hallucinated npx Commands Understanding Open-Source License Risk in Modern Software The CISO Vibe Coding Checklist for Security Top 6 Graphite alternatives for AI code review in 2026 From “No Bullsh*t Security” to $1B: We Just Raised Our $60m Series B Critical n8n Vulnerability Allows Unauthenticated Remote Code Execution (CVE-2026-21858) Top 14 VS Code Extensions for 2026 AI-Driven Pentesting of Coolify: Seven CVEs Identified Top Continuous Pentesting Tools in 2026 SAST vs SCA: Securing the Code You Write and the Code You Depend On JavaScript, MSBuild, and the Blockchain: Anatomy of the NeoShadow npm Supply-Chain Attack How Engineering and Security Teams Can Meet DORA’s Technical Requirements IDOR Vulnerabilities Explained: Why They Persist in Modern Applications Shai Hulud strikes again - The golden path First Sophisticated Malware Discovered on Maven Central via Typosquatting Attack on Jackson The Fork Awakens: Why GitHub’s Invisible Networks Break Package Security Top 10 Cyber Security Tools For 2026 SAST in the IDE is now free: Moving SAST to where development actually happens AI Pentesting in Action: A TL;DV Recap of Our Live Demo The Top 7 Threat Intelligence Tools in 2026 React & Next.js DoS Vulnerability (CVE-2025-55184): What You Need to Fix After React2Shell OWASP Top 10 for Agentic Applications (2026): What Developers and Security Teams Need to Know DAST vs Pentesting v AI Pentesting: Why DAST Cannot Replace Modern Pentesting PromptPwnd: Prompt Injection Vulnerabilities in GitHub Actions Using AI Agents Top 7 Cloud Security Vulnerabilities Critical React & Next.js RCE Vulnerability (CVE-2025-55182): What You Need to Fix Now How to Comply With the UK Cybersecurity & Resilience Bill: A Practical Guide for Modern Engineering Teams Shai Hulud 2.0: What the Unknown Wonderer Tells Us About the Attackers’ Endgame SCA Everywhere: Scan and Fix Open-Source Dependencies in Your IDE Safe Chain now enforces a minimum package age before install Shai Hulud Attacks Persist Through GitHub Actions Vulnerabilities Shai Hulud Launches Second Supply-Chain Attack: Zapier, ENS, AsyncAPI, PostHog, Postman Compromised CORS Security: Beyond Basic Configuration Revolut Selects Aikido Security to Power Developer-First Software Security The Future of Pentesting Is Autonomous How Aikido and Deloitte are bringing developer-first security to enterprise Secrets Detection: A Practical Guide to Finding and Preventing Leaked Credentials Invisible Unicode Malware Strikes OpenVSX, Again AI as a Power Tool: How Windsurf and Devin Are Changing Secure Coding Building Fast, Staying Secure: Supabase’s Approach to Secure-by-Default Development OWASP Top 10 2025: Official List, Changes, and What Developers Need to Know Top 10 JavaScript Security Vulnerabilities in Modern Web Apps The Return of the Invisible Threat: Hidden PUA Unicode Hits GitHub repositorties Top 7 Black Duck Alternatives in 2026 What Is IaC Security Scanning? Terraform, Kubernetes & Cloud Misconfigurations Explained AutoTriage and the Swiss Cheese Model of Security Noise Reduction Top Software Supply Chain Security Vulnerabilities Explained The Top 7 Kubernetes Security Tools Top 10 Web Application Security Vulnerabilities Every Team Should Know What Is CSPM (and CNAPP)? Cloud Security Posture Management Explained
MongoBleed: MongoDB Zlib Vulnerability (CVE-2025-14847) and How to Fix It
Sooraj Shah · 2025-12-26 · via Aikido Security's Blog

Published on:

Dec 26, 2025

Key takeaways

  • Aikido Security tracked this MongoDB vulnerability before it was indexed in the NVD, based on upstream vendor fixes and internal threat intelligence ingestion.
  • The issue (CVE-2025-14847), known as MongoBleed, allows unauthenticated, network-level attackers to extract fragments of uninitialized server memory.
  • No credentials are required if the MongoDB server is reachable over the network and zlib compression is enabled.
  • Aikido customers were already able to detect the vulnerability via container scanning, VM scanning, Kubernetes scanning, while new CSPM rules have been added to reinforce prevention to exposed MongoDB services.

How to see if you are affected

Option 1: Use Aikido Security

You are affected if Aikido reports:

  • A vulnerable MongoDB version running in containers, virtual machines, or Kubernetes
  • Network-exposed MongoDB services
  • Misconfigured cloud or cluster-level access controls

These checks are available in the free version of Aikido Security.

Option 2: Manual validation

You are likely affected if:

  • Your MongoDB version is listed in the affected versions table below
  • Your MongoDB port is reachable over the network
  • zlib compression is enabled (default in many deployments)

Remediation steps

Immediate remediation (recommended)

Upgrade MongoDB to a patched version:

  • 8.2.3
  • 8.0.17
  • 7.0.28
  • 6.0.27
  • 5.0.32
  • 4.4.30

Temporary mitigation (if upgrade is not immediately possible)

  • Disable zlib compression and switch to snappy, zstd, or no compression
  • Restrict network access to MongoDB using firewalls, security groups, or Kubernetes NetworkPolicies
  • Remove any unnecessary public exposure

Who is impacted

This vulnerability impacts organizations running self-managed MongoDB servers on affected versions where:

  • The MongoDB service is reachable over the network
  • zlib compression is enabled

This includes MongoDB deployed on:

  • Virtual machines
  • Containers
  • Kubernetes clusters
  • Cloud environments with misconfigured networking

What is Mongobleed?

MongoDB disclosed a vulnerability in its network transport layer that can result in uninitialized server memory being sent to clients. Because the issue occurs during message decompression, it is triggered before authentication, allowing unauthenticated attackers to exploit it remotely.

The vulnerability is tracked as CVE-2025-14847.

What is the attack about?

The attack targets MongoDB’s handling of compressed network messages. By sending specially crafted compressed payloads, an attacker can cause MongoDB to miscalculate the length of decompressed data and include unintended memory contents in its response.

Attacker intent

The vulnerability enables information disclosure, which may be used for reconnaissance, data harvesting, or chaining with other attacks.

Initial impact

  • Authentication required: No
  • User interaction required: None
  • Attack surface: Network-exposed MongoDB instances
  • Exploit complexity: Low

Broader impact

Even partial memory disclosure can reveal sensitive application data, expose internal server state, and assist attackers in lateral movement.

{{cta}}

Technical deep dive

Where the vulnerability lived

The issue resides in MongoDB’s network transport compression layer, specifically in the zlib decompression logic.

What it could do

Incorrect handling of decompressed message lengths caused MongoDB to return uninitialized heap memory beyond the intended payload, resulting in memory disclosure.

Proof of concept (high level)

MongoDB’s own regression tests and patches demonstrate that malformed compressed frames could reliably trigger the issue, confirming exploitability under attacker-controlled input.

Why these vulnerabilities occur

This class of vulnerability typically arises from complex memory management in high-performance network code, insufficient validation of attacker-controlled input, and mismatches between allocated buffer sizes and actual data length.

Scope of attack

Workloads are at risk if they:

  • Run vulnerable MongoDB versions
  • Allow inbound network access to MongoDB
  • Use default compression settings
  • Lack network segmentation or runtime visibility

How Aikido Security helps

Aikido helps teams reduce exposure to vulnerabilities like CVE-2025-14847 by focusing on early signals and real runtime risk, not just CVE listings.

  • Early awareness
    Aikido tracks upstream vendor fixes and advisories in Aikido Intel, so teams can see critical issues before they appear in the NVD or most scanners.
  • Where it’s actually running
    Aikido shows whether vulnerable MongoDB versions are present in containers, VMs, or Kubernetes, and whether they are network exposed.
  • Fewer risky defaults
    Built-in posture checks help catch unsafe configurations like exposed databases that turn bugs into incidents.

This lets developers identify and fix real exposure quickly without waiting on delayed CVE feeds. Learn more about Aikido Security here.

Conclusion

CVE-2025-14847 is a critical MongoDB vulnerability that allows unauthenticated attackers to leak server memory via zlib compression.

Appendix: Affected MongoDB Versions

MongoDB 8.2

  • Vulnerable: 8.2.0 – 8.2.2
  • Fixed: 8.2.3

MongoDB 8.0

  • Vulnerable: 8.0.0 – 8.0.16
  • Fixed: 8.0.17

MongoDB 7.0

  • Vulnerable: 7.0.0 – 7.0.27
  • Fixed: 7.0.28

MongoDB 6.0

  • Vulnerable: 6.0.0 – 6.0.26
  • Fixed: 6.0.27

MongoDB 5.0

  • Vulnerable: 5.0.0 – 5.0.31
  • Fixed: 5.0.32

MongoDB 4.4

  • Vulnerable: 4.4.0 – 4.4.29
  • Fixed: 4.4.30

MongoDB 4.2

  • Vulnerable: All versions
  • Fixed: No fix available

MongoDB 4.0

  • Vulnerable: All versions
  • Fixed: No fix available

MongoDB 3.6

  • Vulnerable: All versions
  • Fixed: No fix available

References

MongoDB Security Advisory for CVE-2025-14847

Aikido Intel

Last updated on:

Mar 17, 2026

Tired of false positives?

Try Aikido like 100k others.

Start Now

Get a personalized walkthrough

Trusted by 100k+ teams

Book Now

Scan your app for IDORs and real attack paths

Trusted by 100k+ teams

Start Scanning

See how AI pentests your app

Trusted by 100k+ teams

Start Testing

Check If You're Vulnerable

Scan Repo

Run free scan

Vulnerabilities & Threats

Red Hat npm Packages Compromised to Spread a Credential-Stealing Worm

Multiple official @redhat-cloud-services npm packages were compromised with a credential-stealing worm derived from the open-sourced Mini Shai-Hulud malware, targeting cloud credentials, and developer tooling across CI/CD pipelines.

Vulnerabilities & Threats

Legitimate-Looking Codex Remote UI Secretly Steals Your AI Tokens

A polished Codex remote UI, the npm package codexui-android, has active development and thousands of weekly users. It has been quietly exfiltrating OpenAI auth tokens for the past month.

Vulnerabilities & Threats

Supply Chain Attack Targets Laravel-Lang Packages with Credential Stealer

Attackers injected a credential stealer into 200+ versions of popular Laravel-Lang packages, delivering a credential stealer targeting cloud keys, SSH keys, browsers, crypto wallets and more.

Get secure now

Secure your code, cloud, and runtime in one central system.
Find and fix vulnerabilities fast automatically.

No credit card required | Scan results in 32secs.