The flaw lies in the zlib-based decompression logic for network messages, which is executed before authentication occurs. By sending specially crafted network packets, attackers can force the system to return uninitialized memory. This allows fragments of sensitive data, such as login credentials, to be leaked without requiring valid credentials or user interaction.
Cloud environments vulnerable on a large scale
According to research by Wiz, 42% of cloud environments have at least one MongoDB instance vulnerable to this vulnerability, both internally and publicly accessible. Censys reports 87,000 potentially vulnerable instances worldwide. A working exploit has been publicly circulating since December 26, 2025, and the first reports of active exploitation have been received.
The vulnerability impacts MongoDB in versions 8.2.0 through 8.2.2, 8.0.0 through 8.0.16, 7.0.0 through 7.0.27, 6.0.0 through 6.0.26, 5.0.0 through 5.0.31, 4.4.0 through 4.4.29, and all MongoDB Server v4.2, v4.0, and v3.6 versions.
The vulnerability also impacts several Linux distribution packages such as rsync, with varying severity and unknown exploitability as of this time.
Wiz advises security teams to take the following steps:
- Patch immediately to one of the safe versions: 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30.
- If patching isn’t possible immediately, disable zlib compression by removing it from networkMessageCompressors or net.compression.compressors. Alternatives include snappy or zstd, or disabling compression entirely.
- Restrict network access to MongoDB servers (e.g., via firewall rules or private networks).
- Monitor logs for suspicious pre-authentication connections or unexpected crashes. Detection tools and guidelines are available from Eric Capuano and Florian Roth.
- Plan upgrades for outdated, unsupported MongoDB versions, as they will remain permanently vulnerable.
MongoDB Atlas users don’t need to take any action; their instances have been updated automatically. For self-hosted environments, manual patching remains essential to prevent data breaches.
More information about the vulnerability can be found here .
