Improve mongobleed checks#21275
Conversation
There was a problem hiding this comment.
Pull request overview
This PR improves the CVE-2025-14847 “Mongobleed” MongoDB scanner by making the framework check workflow more accurate, reducing false positives against non-MongoDB services, and tightening zlib/compression handling.
Changes:
- Replaces the custom
ACTION=CHECKflow with a standard scannercheck_hostimplementation returningExploit::CheckCodevalues. - Improves compressor detection by negotiating
hello/isMasterwith a BSON array (and adds BSON array building support). - Adds additional wire-protocol validation/sanity checks to reduce false positives and improve robustness.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| modules/auxiliary/scanner/mongodb/cve_2025_14847_mongobleed.rb | Adds standard check_host, strengthens protocol validation, and refines compression detection logic (zlib-focused). |
| documentation/modules/auxiliary/scanner/mongodb/cve_2025_14847_mongobleed.md | Updates usage docs to reflect the new check workflow and revised behavior/output. |
adfoster-r7
force-pushed
the
improve-mongobleed-checks
branch
from
64980f6 to
ee2c0df
Compare
adfoster-r7
force-pushed
the
improve-mongobleed-checks
branch
from
ee2c0df to
8cadb56
Compare
adfoster-r7
force-pushed
the
improve-mongobleed-checks
branch
from
8cadb56 to
89d0115
Compare
| version_info = get_mongodb_version | ||
| compressors = get_server_compressors | ||
| is_mongodb = !version_info.nil? || !compressors.nil? | ||
|
|
||
| return Exploit::CheckCode::Safe('Target does not appear to be a MongoDB service') unless is_mongodb |
There was a problem hiding this comment.
check_host performs get_server_compressors before returning early for patched versions. If the version lookup succeeds but the compression probe hits a transient connection error, the rescue will return CheckCode::Unknown even though we already know the version is patched. Consider checking vuln_status == :patched and returning Safe before making the additional network call, or handling compressor lookup failures in a way that doesn’t override a definitive version-based result.
| if opcode == OP_COMPRESSED && response.length > 25 | ||
| payload = Zlib::Inflate.inflate(response[25, msg_len - 25]) | ||
| end | ||
| rescue Zlib::Error | ||
| # Decompression failed, check raw response | ||
| # Decompression failed — can't meaningfully scan compressed bytes |
There was a problem hiding this comment.
send_magic_packet_check attempts to zlib-inflate any OP_COMPRESSED response without checking the response’s compressorId. If the server replies with OP_COMPRESSED using snappy/zstd (or any non-zlib id), this will raise Zlib::Error and the method returns :unknown, making the check inconclusive. Parse and validate the compressorId byte (offset 24) and only inflate when it indicates zlib; otherwise handle the response in a way that preserves deterministic results (e.g., treat as inconclusive with an explicit reason).
Release NotesAdds multiple improvements to the |
Added multiple improvements to the
cve_2025_14847_mongobleed.rbmodule, such as adding new a dedicatedcheckmethod,improved compression support detection as only zlib can be exploited, and resolving other false positivesVerification
Check vuln
Network issues now bubbled up correctly:
Check Not vuln - no zlib compression enabled
Check not vuln - patched