Skip to content

Updated MongoDB memory disclosure module (CVE-2025-14847) #20840

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
xaitax wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Updated MongoDB memory disclosure module (CVE-2025-14847) #20840

xaitax wants to merge 2 commits into from
+637 −52

Conversation

@xaitax
Copy link
Contributor

@xaitax xaitax commented Jan 2, 2026

New Features Added

  1. CHECK Action (Wiz Magic Packet)

    • Quick vulnerability detection using single crafted packet
    • Based on Wiz Research Nuclei template technique
    • set ACTION CHECK then run

  2. Compression Pre-flight Check

    • Detects server's supported compressors via hello command
    • Warns/stops if zlib not enabled (required for CVE)
    • Displays available compressors

  3. Connection Reuse

    • New REUSE_CONNECTION option (default: true)
    • Persistent TCP connection instead of reconnect per probe
    • Significant speed improvement

  4. Improved Leak Extraction

    • Printable ASCII sequences (6+ chars)
    • MongoDB connection string patterns (mongodb://)
    • JSON/BSON fragment detection
    • Broader quoted string extraction

  5. JSON Export

    • New SAVE_JSON option (default: true)
    • Structured report with offsets, base64 data, timestamps, secrets
    • Machine-parseable for automation

@msutovsky-r7 msutovsky-r7 self-assigned this Jan 5, 2026
jvoisin
jvoisin reviewed Jan 7, 2026
View reviewed changes
documentation/modules/auxiliary/scanner/mongodb/cve_2025_14847_mongobleed.md
Comment on lines +46 to +47
6. `set ACTION CHECK` then `run` (optional - quick vulnerability check)
7. `set ACTION SCAN` then `run` (full exploitation)
Copy link
Contributor

@jvoisin jvoisin Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why set ACTION instead of using check and run directly?

Copy link
Contributor Author

@xaitax xaitax Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AFAIK doesn't exist for aux.

modules/auxiliary/scanner/mongodb/cve_2025_14847_mongobleed.rb
'dd070000', # originalOpcode (OP_MSG = 2013)
'32000000', # uncompressedSize (50 - inflated)
'02', # compressorId (zlib = 2)
'789c636080028144064620050002ca0073' # zlib compressed payload
Copy link
Contributor

@jvoisin jvoisin Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can be even cooler here and use something like Zlib::Deflate.deflate("{\"a\": 1}")

modules/auxiliary/scanner/mongodb/cve_2025_14847_mongobleed.rb
#
# Quick vulnerability check using Wiz Research magic packet
#
def run_check(ip)
Copy link
Contributor

@jvoisin jvoisin Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are already a handful of mongodb modules in metasploit, it would make sense to split the fingerprinting parts of this functions into a mixin.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@jvoisin jvoisin jvoisin left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@msutovsky-r7 msutovsky-r7

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@xaitax @jvoisin @msutovsky-r7