Critical MongoDB Vulnerability Allows Unauthenticated Attackers to Crash Servers
A significant security flaw, identified as CVE-2026-25611 with a CVSS score of 7.5, has been discovered in MongoDB. This vulnerability enables unauthenticated attackers to crash exposed MongoDB servers using minimal bandwidth. The issue affects all MongoDB versions with compression enabled (version 3.4 and later), including MongoDB Atlas. Notably, compression has been enabled by default since version 3.6.
According to data from Shodan, over 207,000 MongoDB instances are currently exposed to the internet, making them susceptible to this vulnerability.
Attack Mechanism and Impact
The vulnerability resides in MongoDB’s wire protocol compression mechanism, known as OP_COMPRESSED. When the server receives a compressed message, it allocates memory based on the uncompressedSize value specified by the attacker before verifying the actual decompressed size. This flaw allows an attacker to send a small 47KB zlib-compressed packet while claiming an uncompressed size of 48MB.
As noted by SentinelOne, the server allocates 48MB per connection without validation, resulting in a massive 1,027:1 memory amplification ratio. By opening multiple concurrent connections, an attacker can rapidly exhaust the server’s RAM, leading to an Out-of-Memory (OOM) kernel kill with exit code 137.
The efficiency of this Denial-of-Service (DoS) attack is alarming. Testing by Cato CTRL demonstrated that a server with 512MB of RAM crashes in approximately two seconds with just 10 connections sending 457KB of data. A 1GB instance succumbs to 25 connections in three seconds. Even a robust 64GB enterprise database can be taken offline in under a minute using around 1,363 connections and merely 64MB of traffic from a standard home internet connection.
Detection and Mitigation
Network defenders should monitor for high volumes of TCP connections to port 27017 from a single source and for rapid connection establishments that remain idle. Indicators of compromise include OP_COMPRESSED packets under 100KB claiming an uncompressed size over 10MB. System logs may show rapid MongoDB memory spikes and OOM killer events targeting the mongod process.
To mitigate this threat, administrators are advised to update to the patched MongoDB versions: 8.2.4, 8.0.18, or 7.0.29. If immediate upgrading is not feasible, disabling compression entirely using the –networkMessageCompressors=disabled option is recommended. Additionally, organizations should restrict database network access to trusted networks via firewalls, implement connection limits using the maxIncomingConnections setting, and avoid allowing public network access (0.0.0.0/0) on MongoDB Atlas clusters.
Staying vigilant and applying these mitigations promptly is crucial to protect MongoDB servers from potential exploitation.
