MongoBleed mitigation in Charmed MongoDB Operators

charm
, , ,
1

Dear community,

As you might have heard about, a high severity vulnerability (nickname MongoBleed) has been published on MongoDB as of 2025-12-19.

While we’re working to provide patched versions for all MongoDB versions that we support, we want to provide some mitigations and insights on this vulnerability.

This vulnerability can only be exploited if the two following conditions are true:

  • Your server is reachable over the network
  • The zlib network compression is allowed (which is the default and what is configured on Charmed MongoDB Operator).

Servers that are not reachable on the network are not affected. If you have manually disabled zlib compression, you are not affected.

Mitigation steps

here are the mitigation steps: MongoDB negotiates the compression automatically, using zlib as a fallback. It is hence almost never used.

Because of that, you can do three things:

  • Isolate your mongodb instances from the external network
  • Disable zlib on MongoDB directly.
  • Enforce snappy or zstd on client side.

Disable zlib on MongoDB directly

Here are the configuration files to modify:

  • Charmed MongoDB VM: /var/snap/charmed-mongodb/current/etc/mongod/mongod.conf and /var/snap/charmed-mongodb/current/etc/mongos/mongod.conf
  • Charmed Mongos VM: /var/snap/charmed-mongodb/current/etc/mongos/mongod.conf
  • Charmed MongoDB Kubernetes: /etc/mongod/mongod.conf and /etc/mongos/mongod.conf
  • Charmed Mongos VM: /etc/mongos/mongod.conf

Add the following lines.

net:
  compression:
    compressors: snappy,zstd

Then run snap restart charmed-mongod.mongod.

You can verify that this is disabled using:

$ db.adminCommand({ getCmdLineOpts: 1 }).parsed.net.compression
> { compressors: 'snappy,zstd' }

Enforcing client side compression

Add compressors=snappy,zstd to as a URI parameter to your clients. For example, connecting with mongosh would now be:

mongosh "mongodb://<user>:<password>@<hosts>/?replicaSet=<your-rs>&compressors=snappy,zstd"

MongoDB 6 Charms have already been mitigated, while waiting for the final patches. You can find the mitigated version in the following revisions:

  • Charmed MongoDB Operator: Revision 255
  • Charmed Mongos Operator: revision 70
  • Charmed MongoDB K8s Operator: Revision 106
  • Charmed Mongos K8S Operator: revision 61
  • Charmed MongoDB Snap: Revision 137
  • Charmed MongoDB Rock: SHA b2c2f0fc2dcbba11cb5d3b9adc9270b9bc6f4ef873cbf5c3952212669d666fa8 We are actively working on providing patched versions for MongoDB 8 and the transition charm!

If you have questions or are in need of assistance, please contact us on Data Platform