[FIX ISSUE FALSE-POSITIVE] CVE-2025-14847: High False Positives on Non-MongoDB

[Akokonunes]

Fix CVE-2025-14847 FPs: reversed flow to tcp(1) && javascript(1) so TCP fingerprints MongoDB first. Added isMongoDBResponse() opcode guard, removed loose 10+ printable-string leak detection, added missing 4.4/4.2/4.0/3.6 version ranges.

PR Information

• Fixed CVE-2020-XXX / Added CVE-2020-XXX / Updated CVE-2020-XXX
• References:

Template validation

• Validated with a host running a vulnerable version and/or configuration (True Positive)
• Validated with a host running a patched version and/or configuration (avoid False Positive)

Additional Details (leave it blank if not applicable)

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Matcher Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server

[neo-by-projectdiscovery-dev]

Neo - Nuclei Template Review

No security issues found

Highlights

• Flow reversal from || to && makes detection more restrictive - TCP fingerprinting now required before exploit attempt
• Added isMongoDBResponse() function validates MongoDB protocol opcodes (OP_REPLY=1, OP_MSG=2012, OP_COMPRESSED=2013) to prevent false positives on HTTP/SSH/other services
• Removed loose string extraction logic that triggered on any 10+ character printable sequence - now focuses on BSON error patterns
• Added missing vulnerable version ranges (3.6, 4.0, 4.2, 4.4) to improve coverage per CVE advisory
• TCP fingerprinting (buildInfo command) now mandatory first step - validates target is MongoDB before sending exploit payload

Hardening Notes

• PR validation checkboxes are unchecked - recommend testing against vulnerable MongoDB instances (versions 3.6 through 8.2) and non-MongoDB services to verify false positive reduction
• The removal of generic string extraction is a deliberate trade-off: significantly reduces false positives but may miss edge case memory leaks that don't contain BSON error markers
• Consider running parallel detection with old/new templates temporarily to compare detection rates before full rollout
• Template represents security-positive change: stricter protocol validation, mandatory fingerprinting, and focused leak detection patterns

_{Comment @pdneo help for available commands. · Open in Neo}

[Akokonunes]

@pdneo review