支持本站 — 捐款将帮助我们持续运营

目标:1000 元,已筹:752

75.2%
立即捐款
一、 漏洞 CVE-2025-14847 基础信息
漏洞信息
                                        # Zlib协议头长度混淆漏洞

## 概述

在 Zlib 压缩协议头部中,由于长度字段不匹配,可能导致未认证客户端读取未初始化的堆内存。

## 影响版本

- MongoDB Server v7.0:低于 7.0.28
- MongoDB Server v8.0:低于 8.0.17
- MongoDB Server v8.2:低于 8.2.3
- MongoDB Server v6.0:低于 6.0.27
- MongoDB Server v5.0:低于 5.0.32
- MongoDB Server v4.4:低于 4.4.30
- MongoDB Server v4.2:≥ 4.2.0
- MongoDB Server v4.0:≥ 4.0.0
- MongoDB Server v3.6:≥ 3.6.0

## 细节

当解析 Zlib 压缩的协议头部时,若长度字段存在不匹配的情况,可能触发越界读取,从而访问未初始化的堆内存。

## 影响

未认证攻击者可利用此漏洞读取服务器上的未初始化堆内存,可能造成信息泄露。
神龙判断

是否为 Web 类漏洞: 未知

判断理由:

N/A
提示
尽管我们采用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
Zlib compressed protocol header length confusion may allow memory read
来源:美国国家漏洞数据库 NVD
漏洞描述信息
Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.
来源:美国国家漏洞数据库 NVD
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
来源:美国国家漏洞数据库 NVD
漏洞类别
长度参数不一致性处理不恰当
来源:美国国家漏洞数据库 NVD
漏洞标题
MongoDB Server 安全漏洞
来源:中国国家信息安全漏洞库 CNNVD
漏洞描述信息
MongoDB Server是美国MongoDB公司的一套开源的NoSQL数据库。该数据库提供面向集合的存储、动态查询、数据复制及自动故障转移等功能。 MongoDB Server存在安全漏洞,该漏洞源于Zlib压缩协议头长度不匹配,可能导致读取未初始化内存。以下版本受到影响:v7.0 7.0.28之前版本、v8.0 8.0.17之前版本、v8.2 8.2.3之前版本、v6.0 6.0.27之前版本、v5.0 5.0.32之前版本、v4.4 4.4.30之前版本、v4.2 4.2.0及之后版本、v4.0
来源:中国国家信息安全漏洞库 CNNVD
CVSS信息
N/A
来源:中国国家信息安全漏洞库 CNNVD
漏洞类别
其他
来源:中国国家信息安全漏洞库 CNNVD
二、漏洞 CVE-2025-14847 的公开POC
#POC 描述源链接神龙链接
1 MongoDB 内存泄露漏洞 (CVE-2025-14847) 检测工具https://github.com/onewinner/CVE-2025-14847POC详情
2poc for CVE-2025-14847https://github.com/ProbiusOfficial/CVE-2025-14847POC详情
3a critical memory disclosure vulnerability in MongoDB's zlib compression handling. This tool allows security researchers to extract sensitive data from vulnerable MongoDB instances.https://github.com/cybertechajju/CVE-2025-14847_ExpolitPOC详情
4Nonehttps://github.com/KingHacker353/CVE-2025-14847_ExpolitPOC详情
5CVE-2025-14847 https://github.com/Ashwesker/Blackash-CVE-2025-14847POC详情
6MongoDB CVE-2025-14847 Heap Memory Leak Scanner | OP_COMPRESSED zlib Vulnerability | Bug Bounty & Red Team Toolhttps://github.com/Black1hp/mongobleed-scannerPOC详情
7golang test tool for mongobleed (cve-2025-14847)https://github.com/nma-io/mongobleedPOC详情
8Nonehttps://github.com/saereya/CVE-2025-14847---MongoBleedPOC详情
9The script focuses on safe artifact acquisition first, followed by optional on-host analysis, and produces a portable, hashed forensic archive suitable for offline investigation on a forensic workstation.https://github.com/JemHadar/MongoBleed-DFIR-Triage-Script-CVE-2025-14847POC详情
10Explot, Lab, Scanner - external and docker container, for SMongobleed-CVE-2025-14847 plus phoenix security uploaderhttps://github.com/franksec42/mongobleed-exploit-CVE-2025-14847POC详情
11Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0. https://github.com/projectdiscovery/nuclei-templates/blob/main/javascript/cves/2025/CVE-2025-14847.yamlPOC详情
12CVE-2025-14847 https://github.com/Ashwesker/Ashwesker-CVE-2025-14847POC详情
13CVE-2025-14847 – MongoDB Unauthenticated Memory‑Leak Exploithttps://github.com/lincemorado97/CVE-2025-14847POC详情
14Exploit lab, docker and code scanner for mongobleed Vulnerability CVE-2025-14847 plus Phoenix Security Sync toolshttps://github.com/Security-Phoenix-demo/mongobleed-exploit-CVE-2025-14847POC详情
15Academic proof-of-concept demonstrating CVE-2025-14847 for authorized security research.https://github.com/chinaxploiter/CVE-2025-14847-PoCPOC详情
16Detect exposed MongoDB instances and CVE-2025-14847 "MongoBleed" risks — Zero-Trust Python scannerhttps://github.com/14mb1v45h/CYBERDUDEBIVASH-MONGODB-DETECTOR-v2026POC详情
17MongoBleed: CVE-2025-14847 Memory Leak Discovery Toolhttps://github.com/kuyrathdaro/cve-2025-14847POC详情
18CVE-2025-14847 (MongoBleed)https://github.com/joshuavanderpoll/CVE-2025-14847POC详情
19Context-Aware Memory Leak Scanner & Exploit for CVE-2025-14847.https://github.com/tunahantekeoglu/MongoDeepDivePOC详情
20Remake of CVE-2025-14847 MongoDB vulnerability demonstrationhttps://github.com/vfa-tuannt/CVE-2025-14847POC详情
21Burp Suite extension to detect CVE-2025-14847 (MongoBleed) via manual leak tests from a dedicated UI tab.https://github.com/j0lt-github/mongobleedburpPOC详情
22CVE-2025-14847 MongoBleed - MongoDB Memory Leak Vulnerability PoChttps://github.com/FurkanKAYAPINAR/CVE-2025-14847-MongoBleed-ExploitPOC详情
23This repo contains my python script version of CVE-2025-14847 (MongoBleed)https://github.com/NoNameError/MongoBLEED---CVE-2025-14847-POC-POC详情
24Nonehttps://github.com/Rishi-kaul/CVE-2025-14847-MongoBleedPOC详情
25MongoBleed CVE-2025-14847 Vulnerability Checkerhttps://github.com/Systemhaus-Schulz/MongoBleed-CVE-2025-14847POC详情
26CVE-2025-14847 exploit for MongoDB heap memory disclosurehttps://github.com/demetriusford/mongobleedPOC详情
27MongoBleed (CVE-2025-14847) Lab & PoC : A complete educational environment to reproduce the critical unauthenticated memory leak in MongoDB. Includes a vulnerable Docker container with multi-database seeding (PII, API keys) and a Python exploit to demonstrate data extraction. Ideal for security research and awareness. 1-day analysis.https://github.com/ElJoamy/MongoBleed-exploitPOC详情
28Mongobleed Detector CVE-2025-14847https://github.com/keraattin/Mongobleed-Detector-CVE-2025-14847POC详情
29CVE-2025-14847 MongoDB Memory Leak Exploithttps://github.com/waheeb71/CVE-2025-14847POC详情
30Full automation check for CVE-2025-14847 MonogBleed- Finds origin IP and tests for exploit.https://github.com/CadGoose/MongoBleed-CVE-2025-14847-Fully-Automated-scannerPOC详情
31CVE-2025-14847 explaination and lab https://github.com/AdolfBharath/mongobleedPOC详情
32Nonehttps://github.com/sahar042/CVE-2025-14847POC详情
33CVE-2025-14847 | MongoBleed vulnerability proof of concept projecthttps://github.com/peakcyber-security/CVE-2025-14847POC详情
34Nonehttps://github.com/alexcyberx/CVE-2025-14847_ExpolitPOC详情
35🛠 Exploit the CVE-2025-14847 vulnerability in MongoDB to disclose sensitive heap memory using a Python script that analyzes responses for new leaked data.https://github.com/sakthivel10q/CVE-2025-14847POC详情
36🔍 Scan for MongoDB vulnerabilities with MongoBleed, a high-performance tool for detecting CVE-2025-14847 across large networks quickly and efficiently.https://github.com/pedrocruz2202/mongobleed-scannerPOC详情
37🛡️ Detect vulnerable MongoDB instances with the high-performance MongoBleed scanner for CVE-2025-14847, ensuring network security and data protection.https://github.com/pedrocruz2202/pedrocruz2202.github.ioPOC详情
38🛠 Exploit the CVE-2025-14847 MongoDB vulnerability to reveal sensitive information through crafted zlib-compressed packets and real-time output.https://github.com/sakthivel10q/sakthivel10q.github.ioPOC详情
39Nonehttps://github.com/Threekiii/Awesome-POC/blob/master/%E6%95%B0%E6%8D%AE%E5%BA%93%E6%BC%8F%E6%B4%9E/MongoDB%20Zlib%20%E5%8E%8B%E7%BC%A9%E5%8D%8F%E8%AE%AE%E5%A0%86%E5%86%85%E5%AD%98%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E%20CVE-2025-14847.mdPOC详情
三、漏洞 CVE-2025-14847 的情报信息
四、漏洞 CVE-2025-14847 的评论

暂无评论

发表评论