MongoBleed (CVE-2025-14847) Critical Memory Leak in MongoDB ...

src/network-services-pentesting/27017-27018-mongodb.md

@@ -79,6 +79,27 @@ grep "noauth.*true" /opt/bitnami/mongodb/mongodb.conf | grep -v "^#" #Not needed
 grep "auth.*true" /opt/bitnami/mongodb/mongodb.conf | grep -v "^#\|noauth" #Not needed
 ```
 
+## MongoBleed (CVE-2025-14847) - Unauthenticated Zlib heap leak
+
+- **Impact:** Unauthenticated zlib traffic can force mongod to return uninitialized heap data by inflating `uncompressedSize`, leaking creds/tokens from other sessions.
+- **Affected:** MongoDB 4.4–8.0 when `zlib` appears in `networkMessageCompressors`.
+- **Quick check for zlib support:**
+
+```bash
+mongosh --host TARGET --port 27017 --eval 'db.adminCommand({getParameter:1, networkMessageCompressors:1})'
+grep -i "compression" /etc/mongod.conf
+```
+
+- **Attack flow:**
+  1. Connect and negotiate `zlib`.
+  2. Send a compressed message whose claimed uncompressed length is far larger than the payload to make the server allocate a big buffer.
+  3. The reply echoes that buffer, leaking heap bytes; repeat with varied lengths to carve useful data.
+- **PoC usage (mongobleed):**
+
+```bash
+python3 mongobleed.py --host TARGET --port 27017 --dump 10MB --loop --decode
+```
+
 ## Mongo Objectid Predict
 
 Example [from here](https://techkranti.com/idor-through-mongodb-object-ids-prediction/).
@@ -102,6 +123,11 @@ The tool [https://github.com/andresriancho/mongo-objectid-predict](https://githu
 
 If you are root you can **modify** the **mongodb.conf** file so no credentials are needed (_noauth = true_) and **login without credentials**.
 
+## References
+- [Rapid7 MongoBleed write-up](https://www.rapid7.com/blog/post/etr-mongobleed-cve-2025-1484-critical-memory-leak-in-mongodb-allowing-attackers-to-extract-sensitive-data)
+- [mongobleed PoC](https://github.com/Hamid-K/mongobleed)
+- [MongoDB SERVER-115508 advisory](https://jira.mongodb.org/browse/SERVER-115508)
+
 ---
 
 {{#include ../banners/hacktricks-training.md}}