CVE-2025-14847 (MongoBleed) MongoDB Memory Leak Vulnerabilit...

src/network-services-pentesting/27017-27018-mongodb.md

@@ -102,9 +102,50 @@ The tool [https://github.com/andresriancho/mongo-objectid-predict](https://githu
 
 If you are root you can **modify** the **mongodb.conf** file so no credentials are needed (_noauth = true_) and **login without credentials**.
 
----
+## MongoBleed zlib Memory Disclosure (CVE-2025-14847)
 
-{{#include ../banners/hacktricks-training.md}}
+A widespread unauthenticated memory disclosure ("MongoBleed") impacts MongoDB 3.6–8.2 whenever the **zlib network compressor is enabled**. During OP\_MSG decompression MongoDB returns the **attacker-controlled allocation length instead of the real uncompressed length**, so the reply contains uninitialized server memory that belongs to other connections, `/proc` files, or the WiredTiger cache.
+
+### Exposure requirements & quick checks
+
+- Server version must be within the vulnerable ranges (3.6, 4.0, 4.2, 4.4.0–4.4.29, 5.0.0–5.0.31, 6.0.0–6.0.26, 7.0.0–7.0.27, 8.0.0–8.0.16, 8.2.0–8.2.2).
+- `net.compression.compressors` or `networkMessageCompressors` must include `zlib` (default on many builds). Check it from the shell with:
+
+```javascript
+db.adminCommand({getParameter: 1, networkMessageCompressors: 1})
+```
+
+- The attacker only needs network access to the MongoDB port. No authentication is necessary.
+
+### Exploitation & harvesting workflow
+
+1. Initiate the wire-protocol handshake while advertising `compressors:["zlib"]` and force the session to use zlib.
+2. Send crafted compressed OP\_MSG frames whose declared `uncompressedSize` is much larger than the real payload so MongoDB allocates a huge buffer.
+3. Because MongoDB copies the entire buffer length into the reply, the BSON parser treats **garbage field names** as valid data until it hits a `\x00`, leaking chunks of process memory on every response.
+4. Vary the claimed document length/offset to walk process memory and aggregate leaks.
+
+The public PoC automates the probing offsets and carving of the returned fragments:
 
+```bash
+python3 mongobleed.py --host <target> --max-offset 50000 --output leaks.bin
+```
+
+Running wider offset ranges consistently yields:
+
+- MongoDB internal logs, connection UUIDs, client IPs and WireTiger stats.
+- `/proc` artifacts such as `meminfo`, socket statistics or container paths helpful for container escape or lateral movement.
+- Secrets that happen to be resident in memory (database creds, API tokens, cloud keys, session cookies, etc.).
+
+At scale, attackers first fingerprint `mongod` instances (e.g., Censys saw >87k exposed services), confirm the version/compressor, then loop the above sequence to build a searchable dump of leaked strings for follow-on compromise.
 
 
+## References
+
+- [Tenable – CVE-2025-14847 (MongoBleed): MongoDB Memory Leak Vulnerability Exploited in the Wild](https://www.tenable.com/blog/cve-2025-14847-mongobleed-mongodb-memory-leak-vulnerability-exploited-in-the-wild)
+- [MongoDB Security Advisory SERVER-115508](https://jira.mongodb.org/browse/SERVER-115508)
+- [Censys – MongoBleed Advisory](https://censys.com/advisory/cve-2025-14847)
+- [MongoBleed PoC (joe-desimone/mongobleed)](https://github.com/joe-desimone/mongobleed)
+
+---
+
+{{#include ../banners/hacktricks-training.md}}