保護DataHogo
Security Encyclopedia/Database Connections
criticalCWE-306OWASP A07:2021

MongoDB Without Authentication

Your MongoDB connection has no authentication credentials, allowing anyone who can reach the database port to read, modify, or delete all data.

How It Works

MongoDB historically shipped with authentication disabled by default, which caused the massive 2016-2017 ransomware wave where 27,000+ databases were wiped. While newer versions enable auth by default, many setups — especially Docker-based dev environments — still spin up MongoDB without credentials and forget to add them before deploying to production.

Vulnerable Code
// BAD: connecting to MongoDB without any authentication
const client = new MongoClient('mongodb://db.example.com:27017');
// No username, no password, no authSource — full access to all databases
Secure Code
// GOOD: always authenticate with a dedicated user per database
const client = new MongoClient(process.env.MONGODB_URI);
// MONGODB_URI=mongodb://appuser:StrongPass@db.example.com:27017/mydb?authSource=mydb

Real-World Example

The 2017 MongoDB ransomware attacks wiped 27,000 databases in 72 hours. Attackers scripted the entire attack: find open MongoDB on Shodan, dump all data, delete it, leave a ransom note. The total data loss affected an estimated 100+ terabytes of data. Most victims never recovered their data.

How to Prevent It

  • Always create a dedicated MongoDB user with a strong password for each application — never connect without credentials
  • Set authSource in your connection string to specify which database holds the user credentials
  • Disable MongoDB's --auth flag removal or ensure it's enabled in your mongod.conf: security.authorization: enabled
  • In Docker Compose, set MONGO_INITDB_ROOT_USERNAME and MONGO_INITDB_ROOT_PASSWORD and create app-specific users
  • Never expose MongoDB port 27017 to the internet — use VPC-only access

Affected Technologies

Node.jsPython

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Unencrypted Database Connection

high

Your database connection doesn't use SSL/TLS, meaning all queries and results travel over the network in plaintext and can be intercepted.

CWE-319OWASP A02:2021

Database Publicly Accessible

critical

Your database is bound to 0.0.0.0 or exposed on a public IP without a VPC or firewall, making it directly reachable from the internet.

CWE-284OWASP A05:2021

Default Database Credentials

critical

Your database uses factory-default credentials like postgres:postgres, root:root, or admin:admin — the first thing any attacker tries.

CWE-1392OWASP A07:2021

Connection String with Inline Password

high

A database connection string with a plaintext password is hardcoded in your source code, committing your database credentials to version control.

CWE-312OWASP A02:2021