## https://sploitus.com/exploit?id=89FE6A03-89FF-5A82-9312-FBE4A09768BE
# CVE-2025-14847 (MongoBleed)
## ๐ Description
This script is designed to exploit the **heap memory disclosure vulnerability** known as **CVE-2025-14847** ("MongoBleed") in MongoDB Server.
By sending specially crafted zlib-compressed OP_MSG packets with an inflated document length, the script tricks the server into returning uninitialized heap memory in its response. This can leak sensitive information such as:
The script continuously sends probes with varying offsets and prints **newly observed leaked strings** in real time. It suppresses duplicates to keep output clean and readable.
## Credits
The [original PoC by Joe Desimone](https://github.com/joe-desimone/mongobleed) performs a **single pass** over a defined offset range, collects all unique fragments, saves them to a file, and optionally highlights interesting patterns at the end.
## Affected Versions
| Version | Affected | Fixed |
|-------|----------------|--------|
| 8.2.x | 8.2.0 - 8.2.2 | 8.2.3 |
| 8.0.x | 8.0.0 - 8.0.16 | 8.0.17 |
| 7.0.x | 7.0.0 - 7.0.27 | 7.0.28 |
| 6.0.x | 6.0.0 - 6.0.26 | 6.0.27 |
| 5.0.x | 5.0.0 - 5.0.31 | 5.0.32 |
## ๐ ๏ธ Installation
> [!NOTE]
> To ensure a clean and isolated environment for the project dependencies, it's recommended to use Python's `venv` module.
### OSX/Linux
```bash
git clone https://github.com/joshuavanderpoll/CVE-2025-14847.git
cd CVE-2025-14847
python3 -m venv .venv
source .venv/bin/activate
```
### Windows
```bash
git clone https://github.com/joshuavanderpoll/CVE-2025-14847.git
cd CVE-2025-14847
python -m venv .venv
.venv\Scripts\activate
```
## โ๏ธ Usage
```bash
python3 CVE-2025-14847.py --host 127.0.0.1 --port 27017
```

## ๐ข Disclaimer
This tool is provided for educational and research purposes only. The creator assumes no responsibility for any misuse or damage caused by the tool.