Play AppSec WarGames
Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.
Secure Coding Challenge for MongoBleed
In December 2025, an extremely sensitive vulnerability dubbed MongoBleed was disclosed, affecting a wide range of MongoDB server versions.
At its core, the issue stems from mismatched length fields in Zlib-compressed MongoDB wire protocol headers, allowing an unauthenticated client to read uninitialised heap memory. In practice, this means data left over from previous database operations such as queries, responses, or internal state data, can be disclosed before any authentication enforcement occurs, hence allowing an attacker to trigger heap memory disclosure.
Unlike logic bugs confined to a specific feature or API, MongoBleed sits squarely in the wire protocol parsing layer. As a result, the impact spans multiple major MongoDB releases, with affected versions dating back as far as 2017.
To make this concrete, we built a secure coding challenge inspired by MongoBleed as part of our Holiday 7×7 Wargame.
The challenge recreates the vulnerability in a hands-on application, allowing you to observe how malformed compressed protocol input can trigger heap memory disclosure, and then try and fix the issue yourself by hardening the parsing logic.
Try the challenge: Play - SecDim
