Share
## https://sploitus.com/exploit?id=89FE6A03-89FF-5A82-9312-FBE4A09768BE
# CVE-2025-14847 (MongoBleed)


    
    
      
    


## ๐Ÿ“œ Description
This script is designed to exploit the **heap memory disclosure vulnerability** known as **CVE-2025-14847** ("MongoBleed") in MongoDB Server.
By sending specially crafted zlib-compressed OP_MSG packets with an inflated document length, the script tricks the server into returning uninitialized heap memory in its response. This can leak sensitive information such as: 
The script continuously sends probes with varying offsets and prints **newly observed leaked strings** in real time. It suppresses duplicates to keep output clean and readable.

## Credits
The [original PoC by Joe Desimone](https://github.com/joe-desimone/mongobleed) performs a **single pass** over a defined offset range, collects all unique fragments, saves them to a file, and optionally highlights interesting patterns at the end.

## Affected Versions
| Version |     Affected |  Fixed |
|-------|----------------|--------|
| 8.2.x | 8.2.0 - 8.2.2  | 8.2.3  |
| 8.0.x | 8.0.0 - 8.0.16 | 8.0.17 |
| 7.0.x | 7.0.0 - 7.0.27 | 7.0.28 |
| 6.0.x | 6.0.0 - 6.0.26 | 6.0.27 |
| 5.0.x | 5.0.0 - 5.0.31 | 5.0.32 |

## ๐Ÿ› ๏ธ Installation
> [!NOTE]
> To ensure a clean and isolated environment for the project dependencies, it's recommended to use Python's `venv` module.

### OSX/Linux
```bash
git clone https://github.com/joshuavanderpoll/CVE-2025-14847.git
cd CVE-2025-14847
python3 -m venv .venv
source .venv/bin/activate
```

### Windows
```bash
git clone https://github.com/joshuavanderpoll/CVE-2025-14847.git
cd CVE-2025-14847
python -m venv .venv 
.venv\Scripts\activate
```

## โš™๏ธ Usage
```bash
python3 CVE-2025-14847.py --host 127.0.0.1 --port 27017
```
![Usage](/assets/usage.jpg)

## ๐Ÿ“ข Disclaimer
This tool is provided for educational and research purposes only. The creator assumes no responsibility for any misuse or damage caused by the tool.