module
MongoDB Memory Disclosure (CVE-2025-14847) - Mongobleed
| Disclosed | Created |
|---|---|
| Dec 19, 2025 | Dec 30, 2025 |
Disclosed
Dec 19, 2025
Created
Dec 30, 2025
Description
This module exploits a memory disclosure vulnerability in MongoDB's zlib
decompression handling (CVE-2025-14847). By sending crafted OP_COMPRESSED
messages with inflated BSON document lengths, the server reads beyond the
decompressed buffer and returns leaked memory contents in error messages.
The vulnerability allows unauthenticated remote attackers to leak server
memory which may contain sensitive information such as credentials, session
tokens, encryption keys, or other application data.
decompression handling (CVE-2025-14847). By sending crafted OP_COMPRESSED
messages with inflated BSON document lengths, the server reads beyond the
decompressed buffer and returns leaked memory contents in error messages.
The vulnerability allows unauthenticated remote attackers to leak server
memory which may contain sensitive information such as credentials, session
tokens, encryption keys, or other application data.
Authors
Alexander Hagenah
Diego Ledda
Joe Desimone
Diego Ledda
Joe Desimone
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.