Critical Vulnerability in MongoDB Reported in Podcast

On December 28, 2025, a critical vulnerability affecting MongoDB was reported in a podcast by the Sands United Storm Center Stormcast. A security update released on December 24 addresses a memory disclosure flaw related to the processing of BSON (Binary JSON) data. The issue occurs when MongoDB incorrectly interprets the size of decompressed data, returning the total size of allocated memory rather than the size actually used. An attacker can exploit this vulnerability by manipulating a length field in a BSON document to access residual data in memory, including secrets (keys, identifiers).

A proof of concept (PoC) was published with the patch, making exploitation easier. Active attacks have been observed on MongoDB instances exposed to the internet. All versions since 3.6 are vulnerable if not patched. The flaw does not directly allow code execution, but the theft of sensitive data can lead to further compromises. Exposed instances should be isolated, and credentials should be renewed if a compromise is suspected. https://www.youtube.com/watch?v=tQkZx7wfJ98