Jeff Bruchado
Back to blog

Critical MongoDB Vulnerability Exposes Over 87 Thousand Servers

Hello HaWkers, worrying news just emerged in the security world: researchers discovered that over 87,000 MongoDB servers are exposed on the internet with a critical vulnerability that allows unauthorized access to sensitive data.

If you use MongoDB in production, this article is essential. Let's understand what happened, how to check if your server is vulnerable, and most importantly how to protect yourself.

What Happened

Security researchers identified a combination of insecure configurations and a new CVE affecting specific MongoDB versions. Most alarming is that many of these servers are completely open, without any authentication.

Alarming Numbers

Scale of the problem:

  • 87,000+ MongoDB servers publicly exposed
  • 40% without any authentication enabled
  • 23,000+ contain sensitive data (emails, passwords, PII)
  • 12,000+ already compromised by ransomware

Most affected versions:

  • MongoDB 4.4.x (before 4.4.28)
  • MongoDB 5.0.x (before 5.0.24)
  • MongoDB 6.0.x (before 6.0.13)
  • MongoDB 7.0.x (before 7.0.5)

⚠️ Urgent: If you use MongoDB in production, immediately check your version and security settings.

Checking If Your Server Is Vulnerable

The first step is identifying if your installation is at risk:

Quick Exposure Check

// Connect to your MongoDB and execute:
// Check version
db.version()

// Check if authentication is enabled
db.adminCommand({ getParameter: 1, authenticationMechanisms: 1 })

// List users (if empty, you're at risk!)
db.getUsers()

// Check bind IP
db.adminCommand({ getCmdLineOpts: 1 })

Secure MongoDB Configuration

If you identified problems, here's how to fix them correctly:

1. Enable Authentication

First, create an admin user:

// Connect without authentication first
// mongosh --host localhost

// Switch to admin database
use admin

// Create admin user
db.createUser({
    user: "adminUser",
    pwd: passwordPrompt(), // Securely prompts for password
    roles: [
        { role: "userAdminAnyDatabase", db: "admin" },
        { role: "readWriteAnyDatabase", db: "admin" },
        { role: "dbAdminAnyDatabase", db: "admin" },
        { role: "clusterAdmin", db: "admin" }
    ]
})

// Create application user (minimum privileges)
use myAppDatabase

db.createUser({
    user: "appUser",
    pwd: passwordPrompt(),
    roles: [
        { role: "readWrite", db: "myAppDatabase" }
    ]
})

2. mongod.conf Configuration

Update your configuration file for maximum security:

# /etc/mongod.conf

# Network - NEVER use 0.0.0.0 in production
net:
  port: 27017
  bindIp: 127.0.0.1  # Localhost only

  # TLS/SSL (recommended)
  tls:
    mode: requireTLS
    certificateKeyFile: /etc/ssl/mongodb.pem
    CAFile: /etc/ssl/ca.pem

# Security - ALWAYS enable
security:
  authorization: enabled
  javascriptEnabled: false  # Disable JavaScript on server

Secure Node.js Connection

Update your application for secure connections:

// config/database.js
const mongoose = require('mongoose');

const mongoConfig = {
    uri: process.env.MONGODB_URI,
    options: {
        authSource: 'admin',
        authMechanism: 'SCRAM-SHA-256',
        tls: true,
        tlsCAFile: process.env.MONGODB_CA_CERT,
        maxPoolSize: 10,
        serverSelectionTimeoutMS: 5000,
        retryWrites: true,
    }
};

async function connectDatabase() {
    try {
        await mongoose.connect(mongoConfig.uri, mongoConfig.options);
        console.log('MongoDB connected successfully');
    } catch (error) {
        console.error('Failed to connect MongoDB:', error);
        process.exit(1);
    }
}

module.exports = { connectDatabase };

Security Checklist

Basic configuration:

  • Authentication enabled with SCRAM-SHA-256
  • Users with minimum necessary privileges
  • Restricted bind IP (never 0.0.0.0)
  • Firewall configured correctly

Encryption:

  • TLS/SSL enabled for all connections
  • Valid and updated certificates
  • Encryption at rest enabled

Monitoring:

  • Audit logs enabled
  • Alerts for suspicious activities
  • Regular and tested backups

Conclusion

The vulnerability affecting 87,000 MongoDB servers is an important reminder that security cannot be left for later. Many of these exposures could be avoided with basic configurations that take minutes to implement.

If you use MongoDB in production, take time today to verify your configurations and implement necessary protections.

If you feel inspired to learn more about development security, I recommend checking out another article: REST API Security: Complete Guide where you'll discover how to protect your endpoints from common attacks.

Let's go! 🦅

Comments (0)

This article has no comments yet 😢. Be the first! 🚀🦅

Add comments