MongoBleed (CVE-2025-14847) Critical Memory Leak in MongoDB ...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.rapid7.com/blog/post/etr-mongobleed-cve-2025-1484-critical-memory-leak-in-mongodb-allowing-attackers-to-extract-sensitive-data
• Blog Title: MongoBleed (CVE-2025-14847): Critical Memory Leak in MongoDB Allowing Attackers to Extract Sensitive Data
• Suggested Section: Network Services Pentesting -> 27017,27018 - Pentesting MongoDB (add subsection: CVE-2025-14847 'MongoBleed' unauthenticated uninitialized-heap leak via Zlib network compression)

🎯 Content Summary

Overview (what happened, when, and why it matters)

Rapid7 summarizes MongoDB Inc.’s disclosure of MongoBleed (CVE-2025-14847), announced on December 19, 2025. The issue is an unauthenticated, remote memory disclosure that lets an attacker bypass authentication and extract uninitialized heap memory from a MongoDB server by manipulating Zlib-compressed network packets sent to the server...

🔧 Technical Details

Uninitialized-heap “bleed” via compressed protocol handling: When a network service supports Zlib-compressed protocol messages, malformed or manipulated compressed packets can drive request processing into a vulnerable path where the server responds with uninitialized heap memory. The attacker does not need authentication and typically cannot select exact secrets; instead they repeat the leak request many times, aggregate the returned bytes, and then search the dumped memory offline for high-value strings (credentials, tokens, and other sensitive fragments).

Operationalizing an info-leak primitive with automation/GUI tooling: Once a reliable memory disclosure primitive exists, attackers can package it into an operator-friendly tool that repeatedly triggers the leak, aggregates results (e.g., multi-megabyte dumps such as 10MB), and provides monitoring/feedback (e.g., live visual feed). This reduces friction for large-scale harvesting a...

🤖 Agent Actions

Summary:

• Added MongoBleed (CVE-2025-14847) section to MongoDB pentesting page detailing the unauthenticated zlib-based heap leak, impact, affected scope, quick config checks, exploit flow, PoC usage, and mitigations.
• Appended references to the Rapid7 write-up, mongobleed PoC repository, and MongoDB advisory tracker.

Tests:

• Not run (documentation-only changes).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.rapid7.com/blog/post/etr-mongobleed-cve-2025-1484-critical-memory-leak-in-mongodb-allowing-attackers-to-extract-sensitive-data

Content Categories: Based on the analysis, this content was categorized under "Network Services Pentesting -> 27017,27018 - Pentesting MongoDB (add subsection: CVE-2025-14847 'MongoBleed' unauthenticated uninitialized-heap leak via Zlib network compression)".

Repository Maintenance:

• MD Files Formatting: 936 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0