MongoBleed

Small standalone exploit repository for CVE-2025-14847 targeting MongoDB Server’s zlib-based wire-protocol compression handling. The main exploit is mongobleed.py, a Python script that manually crafts a MongoDB OP_COMPRESSED message over a raw TCP socket. It embeds a legitimate compressed OP_QUERY for admin.$cmd with {"isMaster":1}, but falsifies the declared uncompressed size to a large attacker-controlled value (default 65536). Per the repository’s logic, this is intended to trigger allocation of a larger heap buffer than the actual decompressed content fills, causing residual heap memory to be returned in the server response. The script then reads the response, prints a hexdump preview, and writes the full capture to leaked_memory.bin. Repository structure is minimal: README.md documents the CVE, affected MongoDB versions, and mitigation guidance; docker is a simple Docker Compose-style lab definition exposing MongoDB 7.0.5 on port 27017 with zlib compression explicitly enabled; init-db.js seeds a test database (ctf_challenge) with fake data and a flag-like secret to make memory disclosure easier to observe in a lab. This indicates the repo is both a proof-of-concept exploit and a self-contained demonstration environment. The exploit is network-based, unauthenticated in design, and focused on information disclosure rather than code execution. It is not a scanner or detector: it actively sends a malformed protocol packet and attempts to retrieve leaked heap contents from the target.

Repository contains a Ruby exploit implementation for CVE-2025-14847 (“mongobleed”), targeting MongoDB’s OP_COMPRESSED (opcode 2012) handler. The exploit is a network, unauthenticated heap memory disclosure: it crafts a MongoDB wire-protocol message by building a minimal BSON document, wrapping it in OP_MSG (2013), compressing with zlib (compressor_id=2), then wrapping in OP_COMPRESSED while inflating the uncompressed_size field (commented as actual + 500 bytes). This coerces the server-side BSON parser to read beyond the decompressed buffer into heap memory; resulting parse errors leak heap contents (e.g., field-name/type related error strings). The script automates scanning across a user-defined document-length/offset range (--min-offset/--max-offset) to probe different heap offsets, extracts and deduplicates leaked fragments for display, writes raw leaked bytes to an output file (default leaked.bin), and performs simple post-scan secret keyword detection. Structure: (1) README.md documents the CVE, usage flags, and example leaked artifacts; (2) mongobleed.rb is the main entry point and contains modular classes (Compressor, BSONBuilder, WireProtocolBuilder, HeaderBuilder, PayloadBuilder, NetworkClient/Socket helpers, offset scanning, leak extraction/parsing, output formatting, file writing, and secret detection) wired together via a builder/workflow pattern and invoked by a CLI; (3) Gemfile/Makefile provide dependency management and run/lint targets; (4) .gitignore and RuboCop config support development hygiene. No hardcoded C2 infrastructure is present; the only runtime network target is the MongoDB host/port provided by the user (default localhost:27017).

Repository purpose: a combined scanner/exploitation toolkit plus training material for CVE-2025-14847 ("MongoBleed"), an unauthenticated MongoDB heap memory disclosure caused by incorrect handling of zlib decompression length in OP_COMPRESSED messages. Core exploit capability (cli/mongobleed.py): - Network-based unauthenticated interaction with MongoDB over TCP (default 27017). - Performs a MongoDB handshake/"hello" to fingerprint server version and negotiate supported compressors; determines exploitability based on (1) version in vulnerable ranges and (2) zlib enabled. - Exploits by crafting malformed MongoDB wire-protocol OP_COMPRESSED (opcode 2012) with compressorId=zlib (2) and attacker-inflated uncompressedSize, embedding malformed BSON/OP_MSG so the server’s error path returns strings containing uninitialized heap bytes. - Implements memory extraction via offset scanning (configurable min/max offsets), batch/continuous modes, multithreaded scanning across target lists/CIDRs, and output controls (JSON, file export, hexdump/strings). - Post-processing includes regex-based secret discovery for common credential/token formats (passwords, API keys, JWTs, AWS keys, MongoDB/Postgres/Redis URIs, GitHub/Slack tokens, and CTF flags). Repository structure: - cli/: primary Python 3 tool (stdlib-only) and CLI documentation. - nuclei/: two Nuclei network templates: a safe version-only detector and an active template that confirms vulnerable version + zlib support (templates send raw wire-protocol bytes to port 27017). - lab/: Docker Compose lab with multiple MongoDB containers (vulnerable, patched, and mitigated/no-zlib) plus a static nginx dashboard on 8080 and a heap warm-up script to increase likelihood of leaking seeded secrets. - docs/: extensive educational write-up (fundamentals → vulnerability → exploitation → detection → defense), including detection ideas (log event IDs, Suricata/Wireshark filters) and mitigation (patching matrix, disabling zlib). Notable targets/endpoints: - Primary target is MongoDB TCP service on 27017 (and lab ports 27018-27021). The lab also exposes an HTTP dashboard on 8080. Seeded lab data includes internal hostnames/ports in connection strings that may appear in leaked heap output.

Repository purpose: an educational/research toolset around CVE-2025-14847 (MongoDB BSON decompression bounds-check failure leading to remote memory disclosure). It includes (1) an active probe/exploit script, (2) a Burp Suite scanner extension stub, and (3) network/host detection signatures (Suricata + YARA). Structure and key files: - mongobleed.py: Primary exploit/probing tool. It opens a TCP socket to the target MongoDB instance (default localhost:27017), crafts an OP_MSG containing minimal BSON but lies about the BSON document length (doc_len). It then zlib-compresses the OP_MSG and wraps it in an OP_COMPRESSED message (opcode 2012) while also lying about the claimed uncompressed size (buffer_size = doc_len + 500). It iterates doc_len across a user-specified range (default 20–8192) to find offsets that trigger informative error responses. Responses are optionally decompressed and parsed with regexes to extract leaked fragments from error strings (e.g., "field name '...'") and "type N" patterns. Unique fragments are aggregated, printed (for longer fragments), and written to an output file (default leaked.bin). It also performs simple keyword checks for potential secrets (password/secret/key/token/admin/AKIA). - burp/mongodb-memory-research.jar (+ burp/mongodb_config.json): A Burp extension conceptually implementing passive detection (MongoDB port + zlib support) and active testing by sending crafted BSON with mismatched sizes across several fixed sizes (1024–8192) and flagging responses that appear to contain memory fragments. The JSON config indicates safe_mode, request throttling, and reporting options. - detection/cve-2025-14847.yar: YARA rule matching OP_COMPRESSED header bytes, zlib marker, suspicious declared sizes, and error strings that may indicate memory disclosure. - detection/suricata.rules: IDS signatures for traffic to MongoDB servers on 27017 matching OP_COMPRESSED + zlib and large length tests, plus server-to-client error-response patterns suggesting leaked non-ASCII fragments. Exploit capabilities (mongobleed.py): unauthenticated, network-based information disclosure by sending malformed compressed MongoDB wire-protocol messages; automated offset scanning; leak extraction and persistence to disk. No RCE or privilege escalation logic is present—this is focused on memory disclosure harvesting.

Repository contains a single Python proof-of-concept exploit script plus a README and .gitignore. Key file: `CVE-2025-14847.py` implements a network-based PoC dubbed "MongoBleed live leaker" targeting a MongoDB service over TCP. It crafts MongoDB wire-protocol `OP_COMPRESSED` (opcode 2012) messages containing zlib-compressed `OP_MSG` (opcode 2013) with a minimal BSON-like document. The script manipulates the claimed uncompressed size using `doc_len + buffer_offset` and iterates `doc_len` across a range (`--min` to `--max`) to try to trigger anomalous server behavior consistent with an out-of-bounds read / information disclosure. Operational behavior: - Connects to `--host`/`--port` (defaults 127.0.0.1:27017) in a tight loop. - Sends a crafted packet per iteration, receives one MongoDB message, and (if the response is also `OP_COMPRESSED`) attempts to zlib-decompress the response payload. - Searches the response bytes for strings matching `field name '([^']*)'` and prints only newly observed leaks, filtering out common benign values (e.g., `a`, `$db`, `ping`). The README markets it as an easy security tool with a GUI/exe download, but the repository itself only includes the Python PoC; no GUI or packaged binary is present in the analyzed files.

Repository purpose: a standalone Python tool (“MongoBleed-Pro”) that claims to exploit CVE-2025-14847, described as an unauthenticated remote memory disclosure in MongoDB’s zlib compression handling. The tool connects to a user-specified MongoDB host/port (or a list of targets), performs an automatic vulnerability check (per README), and then attempts to extract leaked memory across a configurable offset range using multi-threading. Structure: - mongobleed_pro.py: main exploit implementation and UI. Uses raw sockets/struct/zlib and concurrency (ThreadPoolExecutor) to send crafted requests and collect leaked bytes. Maintains global state (leaked_data, unique_leaks, found_secrets), deduplicates fragments, and scans the aggregated leak for high-value patterns. - README.md: usage instructions, claimed affected versions, options (--target, --file, --threads, --min-offset, --max-offset), and output artifacts. - requirements.txt: depends on rich for terminal UI. - LICENSE: MIT. Exploit capabilities observed/claimed in code/README: - Network-based targeting of MongoDB instances (host:port), including bulk scanning from a file. - Multi-threaded leak attempts over a range of offsets to maximize disclosure. - Post-processing of leaked memory: regex-based secret discovery for AWS access keys (AKIA…), OpenAI keys (sk-…), GitHub tokens (ghp_…), generic password/secret/token assignments, and email addresses. - Local artifact generation: writes a readable “loot” text file and a raw binary dump per host. Notable fingerprintable observables: - Targets: MongoDB service over TCP (default port 27017 implied by examples). - Output files: dump_alexcyberx_<host>.bin and loot_alexcyberx_<host>.txt. Assessment: This is exploit code (not just detection) with an operational data-exfiltration workflow (connect → trigger leak → aggregate/dedupe → pattern match → write artifacts). The provided snippet is truncated, so exact wire-protocol message format and the precise vulnerability trigger are not fully visible here, but the repository’s intent and post-exploitation handling are clear.

Repository purpose: a standalone Python proof-of-concept exploit for CVE-2025-14847 (“MongoBleed”), demonstrating unauthenticated heap memory disclosure from a MongoDB server via a malformed OP_COMPRESSED message. Structure: - exploit.py: Main exploit/scanner. Crafts a MongoDB wire-protocol OP_COMPRESSED (opcode 2012) packet containing a zlib-compressed OP_MSG (originalOpcode=2013) with malformed BSON. The key manipulation is setting the OP_COMPRESSED uncompressedSize field (buffer_size) inconsistently (larger than the real decompressed size), which is described as the root cause leading to reading beyond intended buffers. - README.md: Minimal usage instructions (run a local vulnerable container via podman-compose; then run exploit.py). - vuln-machine/: Local reproduction environment. - podman-compose.yaml: Runs mongo:8.2.2, exposes 27017, enables zlib compression ("--networkMessageCompressors zlib") and binds to all interfaces. - .env: Sets init DB credentials and database name. - init-data/init-mongo.js: Seeds collections with example “sensitive” data (credit card-like records and many token strings) to make leakage observable. Exploit capabilities and flow: 1) Network connection: Opens a TCP socket to host:port (default localhost:27017) with a 3s timeout. 2) Payload generation (prepare_payload): - Builds malformed BSON content and wraps it in an OP_MSG structure. - Compresses OP_MSG with zlib. - Wraps compressed bytes in OP_COMPRESSED fields: originalOpcode=2013, uncompressedSize=buffer_size (attacker-controlled), compressorId=2 (zlib). - Prepends a standard MongoDB message header. 3) Scanning strategy: Iterates doc_length from --min-offset to --max-offset (defaults 15..4096). For each, sends a payload with buffer_size = doc_len + 500 to probe different offsets/sizes. 4) Leak extraction (find_leaked_data): Parses the server response, optionally decompresses it if opcode indicates OP_COMPRESSED, then regex-extracts likely leaked bytes from error strings: - Captures values inside "field name '...'", excluding common benign fields. - Captures "type (\d+)" values and records suspicious type bytes (>31). 5) Output: Prints previews for longer leaked strings and writes all collected bytes to leaked.bin; reports total leaked bytes and duration. Overall: This is an operational PoC data-disclosure exploit (not RCE). It targets MongoDB’s compressed wire-protocol handling and is paired with a containerized vulnerable lab to reproduce and observe memory leakage.

This repository contains a proof-of-concept (PoC) exploit for CVE-2025-14847, a memory disclosure ('bleed') vulnerability in MongoDB. The main exploit logic resides in 'poc.py', a Python script that crafts and sends specially formed OP_COMPRESSED messages to a target MongoDB server. By manipulating the claimed uncompressed size in the message, the script triggers the server to leak memory in its error responses. The script then parses these responses to extract leaked field names and searches for sensitive patterns such as passwords, tokens, and keys. The exploit is network-based, requiring only TCP access to the MongoDB service (default port 27017). The repository also includes a README.md with usage and ethical guidelines, and a standard Apache 2.0 license. The exploit is a functional PoC and does not belong to any exploitation framework.

This repository contains a proof-of-concept exploit for CVE-2025-14847, a memory leak vulnerability in MongoDB. The exploit is implemented in a single Python script (mongoExploit.py) and is accompanied by a detailed README.md. The exploit works by sending specially crafted BSON payloads with inflated document lengths to a MongoDB server, exploiting a bug in zlib decompression handling. This causes the server to leak memory fragments in error responses, which the script collects, analyzes for potential secrets, and saves to a binary file. The script is configurable via command-line arguments for target host, port, scan range, and output file. The attack vector is network-based, targeting MongoDB instances accessible over TCP. The exploit is a functional PoC and does not include weaponized or post-exploitation features.

This repository provides a comprehensive, operational proof-of-concept (PoC) exploit for CVE-2025-14847 (MongoBleed), a critical pre-authentication heap memory disclosure vulnerability in MongoDB (versions 3.6.x up to 8.2.2) when zlib compression is enabled. The exploit is implemented in Python (mainly in poc.py and live_leaker.py) and demonstrates how an attacker can craft a malicious OP_COMPRESSED message with a fake uncompressedSize field, causing the server to return uninitialized heap memory. The leaked data may include sensitive information such as authentication tokens, UUIDs, session IDs, and API keys, as simulated in the included test environment. The repository structure includes: - poc.py: Main exploit script, capable of both vulnerability checking and exploitation, with pattern matching for sensitive data in leaks. - live_leaker.py: Advanced exploit script that incrementally varies document sizes to maximize data leakage and pattern discovery. - popular_heap.py: Script to populate the MongoDB heap with target data, increasing the likelihood of leaking sensitive information. - init-db.js: JavaScript script to initialize the MongoDB database with realistic test data (player stats, sessions, tokens, API keys). - docker-compose.yml: Sets up a vulnerable MongoDB 7.0.5 instance with zlib compression enabled for testing. - Extensive documentation (README.md, GUIA_TECNICO_COMPLETO.md) covering technical details, usage, affected versions, and defense recommendations. The exploit is network-based, targeting MongoDB servers exposed on TCP port 27017. The code is mature and operational, with automated pattern detection for leaked secrets and support for both English and Portuguese environments. The repository is intended for authorized security testing and educational purposes only.

This repository implements a network-based exploit for CVE-2025-14847, a heap buffer over-read vulnerability in MongoDB's OP_COMPRESSED message handler. The exploit is contained in a single Ruby script, 'mongobleed.rb', which constructs and sends specially crafted MongoDB wire protocol messages to a target server. By inflating the uncompressed_size field in the OP_COMPRESSED message, the exploit causes the server to over-read heap memory, leaking its contents in error messages. The script automates the process of probing different heap offsets, collecting and deduplicating leaked data, and presenting it to the user. The exploit is unauthenticated and works over the network, requiring only the ability to connect to the MongoDB service. The repository also includes a Gemfile for dependencies and a Rubocop configuration file for code style, but all exploit logic resides in 'mongobleed.rb'.

This repository contains a Python proof-of-concept exploit for CVE-2025-14847 (MongoBleed), a heap memory leak vulnerability in MongoDB. The main file, MongoBLEED.py, crafts and sends a malicious OP_COMPRESSED packet with a forged decompression size to a target MongoDB server (default port 27017). If the server is vulnerable, it responds with leaked heap memory, which the script saves to 'memoria_vazada.bin'. The exploit requires network access to the target and Python 3.x. The repository structure is simple, consisting of the exploit script and a README.md with usage instructions and a description of the vulnerability. No framework is used; this is a standalone PoC exploit.

This repository provides a comprehensive toolkit for CVE-2025-14847 (MongoBleed), a critical unauthenticated memory-leak vulnerability in MongoDB Server's zlib compression handling. The structure includes: - **exploit/**: Contains the main exploit (mongobleed.py) and supporting libraries for crafting malicious MongoDB wire protocol messages (lib/protocol.py) and extracting sensitive data from leaked memory (lib/extractor.py). The exploit works by sending a malformed OP_COMPRESSED message to a vulnerable MongoDB server, causing it to return uninitialized heap memory. Extracted data is analyzed for credentials, API keys, tokens, PII, and more. - **detection/**: Includes detection rules for SIEM (Sigma), IDS/IPS (Suricata/Snort), YARA rules for memory/packet analysis, and a Python scanner (scanner.py) for safe vulnerability assessment. - **lab/**: Provides a Docker-based vulnerable MongoDB environment for safe testing, with scripts to initialize the database with sample sensitive data. - **remediation/**: Contains scripts and documentation for verifying patch status and remediation steps. The exploit is operational, with a customizable Python payload that can leak and analyze sensitive memory from the target. The attack vector is network-based, requiring only TCP access to the MongoDB port (default 27017) with zlib compression enabled. No authentication is required. The repository also provides extensive detection and remediation resources, making it suitable for both offensive and defensive security research.

This repository provides a comprehensive toolkit for CVE-2025-14847 (MongoBleed), a critical unauthenticated memory-leak vulnerability in MongoDB Server's zlib compression handling. The structure includes: - **exploit/**: Contains the main exploit (mongobleed.py) and supporting libraries for crafting malicious MongoDB wire protocol messages (lib/protocol.py) and extracting sensitive data from leaked memory (lib/extractor.py). The exploit works by sending a malformed OP_COMPRESSED message to a vulnerable MongoDB server, causing it to return uninitialized heap memory. Extracted data is analyzed for credentials, API keys, tokens, PII, and more. - **detection/**: Includes detection rules for SIEM (Sigma), IDS/IPS (Suricata/Snort), YARA rules for memory/packet analysis, and a Python scanner (scanner.py) for safe vulnerability assessment. - **lab/**: Provides a Docker-based vulnerable MongoDB environment for safe testing, with scripts to initialize the database with sample sensitive data. - **remediation/**: Contains scripts and documentation for verifying patch status and remediation steps. The exploit is operational, with a customizable Python payload that can leak and analyze sensitive memory from the target. The attack vector is network-based, requiring only TCP access to the MongoDB port (default 27017) with zlib compression enabled. No authentication is required. The repository also provides extensive detection and remediation resources, making it suitable for both offensive and defensive security research.

This repository provides a working proof-of-concept (PoC) exploit for CVE-2025-14847, a heap memory leak vulnerability in MongoDB when zlib network message compression is enabled. The main exploit is implemented in 'poc.ts', a TypeScript script that crafts a malicious OP_COMPRESSED packet with a fake uncompressed size and sends it to a vulnerable MongoDB server (default: 127.0.0.1:27018). If the server is vulnerable, it leaks uninitialized heap memory, which the script saves to 'leaked_memory.bin' and previews as a hexdump. The repository includes Docker Compose files to set up both vulnerable and fixed MongoDB environments, and an initialization script ('init-db.js') that seeds the database with a flag and fake data for CTF/validation purposes. The exploit is operational and demonstrates the vulnerability, but does not provide a weaponized or framework-integrated payload. The repository also contains detailed remediation instructions and references for patching or mitigating the vulnerability.

This repository contains a proof-of-concept exploit for CVE-2025-14847 ("MongoBleed"), a heap memory disclosure vulnerability in MongoDB Server. The main file, CVE-2025-14847.py, is a Python script that connects to a specified MongoDB instance (default port 27017) and sends specially crafted, zlib-compressed OP_MSG packets with manipulated document lengths. This triggers the server to return uninitialized heap memory, which may contain sensitive information. The script continuously probes the server, varying the document length and buffer offset, and prints out newly observed leaked strings in real time, suppressing duplicates for clarity. The README provides detailed usage instructions, affected/fixed version information, and credits. The exploit is a network-based memory disclosure tool, not a detection script, and is intended for research and educational purposes.

This repository contains a proof-of-concept exploit (mongobleeder.py) for CVE-2025-14847, a critical memory leak vulnerability in MongoDB's OP_COMPRESSED message handler. The exploit is implemented in Python and is fully self-contained, requiring only standard library modules. The main script, mongobleeder.py, crafts and sends malicious OP_COMPRESSED messages to a target MongoDB server, manipulating the uncompressed_size field to trigger the server to allocate an oversized buffer. The server then leaks uninitialized memory in error messages, which the exploit parses and saves to a binary file (mongobleeder_leaked.bin) for further analysis. The exploit supports both SSL/TLS and plaintext connections, and provides options for tuning the memory offset range and buffer size. The repository includes comprehensive documentation (README.md, USAGE.md, SECURITY.md) covering usage scenarios, ethical guidelines, and technical details. No external dependencies are required. The exploit is intended for authorized security testing and research only.

This repository contains a proof-of-concept (PoC) exploit for CVE-2025-14847 (MongoBleed), a critical unauthenticated memory disclosure vulnerability in MongoDB. The exploit is implemented in a single Python script (CVE-2025-14847.py) and is accompanied by a detailed README.md explaining the vulnerability, affected versions, exploitation steps, and mitigation advice. The exploit works by sending specially crafted zlib-compressed MongoDB wire protocol messages (OP_COMPRESSED) with intentionally inconsistent BSON lengths to a target MongoDB server. Vulnerable servers mishandle these messages, resulting in the disclosure of uninitialized heap memory in error responses. The script automates this process, iterating over a range of document lengths, parsing responses for leaked data, and saving unique memory fragments to a binary file. It also scans for common sensitive keywords (e.g., 'password', 'token') in the leaked data. The attack vector is network-based, requiring only TCP access to the MongoDB service (default port 27017). No authentication is required, making this a high-severity issue for exposed or unpatched servers. The exploit is a PoC and does not provide a weaponized or easily customizable payload, but it demonstrates the vulnerability's impact and can be used for authorized security testing or research. The repository is well-structured, with clear usage instructions, version targeting, and defensive guidance in the README. No hardcoded IPs or domains are present; the script takes the target host and port as arguments. The only file output is the leak dump (leaked_memory.bin).

This repository provides a comprehensive security research toolkit for CVE-2025-14847 (MongoBleed), a critical unauthenticated memory disclosure vulnerability in MongoDB's network transport layer when zlib compression is enabled. The exploit is implemented in Python (exploit/mongobleed.py) and works by sending specially crafted OP_COMPRESSED messages with inflated uncompressedSize fields, causing the server to leak uninitialized heap memory in error responses. The exploit can extract sensitive data such as credentials, API keys, and internal state from the server's memory. The repository includes: - An exploit lab (exploit/ directory) with Docker Compose files to spin up both vulnerable and patched MongoDB instances, and an initialization script (init-mongo.js) that seeds the database with mock secrets for demonstration. - The main exploit script (exploit/mongobleed.py), which automates the attack and saves leaked data to a file. - Test scripts (test-exploit.sh, demo.sh) for automated validation. - A network scanner (scanner/mongobleed_scanner.py) to identify vulnerable MongoDB instances across networks. - A code scanner (code-scan/) to detect vulnerable MongoDB versions in codebases and infrastructure-as-code files. The exploit is operational and can be used to confirm the presence of the vulnerability and extract real memory data from affected MongoDB servers. The attack vector is network-based, requiring only TCP access to the MongoDB port (default 27017). No authentication is required. The toolkit is intended for authorized security testing and research only.

This repository provides a proof-of-concept exploit for CVE-2025-14847, a critical memory disclosure vulnerability in MongoDB's zlib decompression logic. The main exploit script, 'mongobleed.py', is a Python tool that connects to a target MongoDB server (default port 27017) and sends specially crafted OP_COMPRESSED messages to trigger the vulnerability. If successful, the server responds with uninitialized heap memory, which may contain sensitive information such as credentials, API keys, and other secrets. The script supports multi-threaded scanning and writes all unique leaked memory fragments to a binary file ('leaked.bin') for further analysis. The repository also includes a Docker Compose setup ('docker-compose.yml') and an initialization script ('initdb/init-mongo.js') to create a vulnerable MongoDB environment pre-populated with mock sensitive data, facilitating safe testing of the exploit. The README provides detailed usage instructions, affected versions, mitigation steps, and a disclaimer. The exploit is operational and demonstrates real-world impact, but does not provide post-exploitation capabilities beyond memory disclosure.

This repository provides a proof-of-concept (PoC) exploit for CVE-2025-14847, which targets MongoDB. The main exploit file, 'CVE-2025-14847.py', is heavily obfuscated and protected using PyArmor, making direct code analysis impossible without deobfuscation. The README and documentation clarify that the PoC is for academic and defensive research only, and is not intended for operational exploitation. The exploit is designed to be run on Python 2.7.14 under Windows, but may be adaptable to other platforms. The mitigation documentation suggests the vulnerability is related to MongoDB's handling of BSON requests, and recommends upgrading, restricting network exposure, and enabling authentication and TLS. No hardcoded network endpoints, IPs, or domains are visible in the unobfuscated portions of the code. The repository structure includes the main exploit, PyArmor runtime support, a license file, and documentation. The exploit's capabilities are presumed to involve demonstrating unauthorized access or manipulation of MongoDB via CVE-2025-14847, but the exact technical details are hidden by obfuscation.

This repository provides a Python 3 proof-of-concept exploit for CVE-2025-14847, a memory leak vulnerability in MongoDB's zlib decompression handling. The exploit consists of a single main script (exploit.py), a requirements.txt for dependencies, and a detailed README.md. The exploit works by crafting and sending malicious OP_COMPRESSED packets with inflated uncompressedSize fields to a target MongoDB server (default: localhost:27017). If the server is vulnerable, it returns uninitialized memory in its error responses, which the script parses and saves to a file (leaked.bin). The exploit is unauthenticated and works over the network, requiring only that the MongoDB instance is accessible and vulnerable. The code is a clear proof-of-concept, not weaponized, and is intended for security research and demonstration purposes.

This repository provides a comprehensive security research lab for CVE-2025-14847 (MongoBleed), a critical unauthenticated memory disclosure vulnerability in MongoDB's zlib network compression. The main exploit (exploit/mongobleed.py) is a Python script that crafts OP_COMPRESSED messages with inflated uncompressedSize fields, causing vulnerable MongoDB servers to leak uninitialized heap memory. The exploit is operational and can be used to extract sensitive data from any accessible MongoDB instance running a vulnerable version (5.0.0-5.0.31, 6.0.0-6.0.26, 7.0.0-7.0.27, 8.0.0-8.0.16, 8.2.0-8.2.2) with zlib compression enabled. The repository includes a Docker-based lab (exploit/docker-compose.yml) with both vulnerable and patched MongoDB containers, initialization scripts that populate the database with mock secrets, and test scripts for automated validation. Additional tools include a network scanner (scanner/mongobleed_scanner.py) for identifying vulnerable instances across networks and a code scanner (code-scan/main.py) for detecting vulnerable MongoDB versions in codebases. The exploit does not require authentication and is highly effective for both targeted and mass exploitation scenarios. The repository is well-documented, with detailed technical analysis, usage instructions, and legal disclaimers.

This repository contains a Go-based exploit for a memory leak vulnerability in MongoDB (likely CVE-2024-28847). The main file, 'mongobleed.go', implements the exploit logic. It crafts and sends custom MongoDB wire protocol messages (with zlib compression) to a specified MongoDB server, attempting to trigger a memory leak and extract arbitrary memory fragments from the server's process space. The exploit supports both targeted and scanning attacks, and can operate over plain TCP or SSL/TLS. Extracted memory fragments are analyzed for common secret patterns (such as passwords, tokens, and connection strings). The code is operational and can be used to test or exploit vulnerable MongoDB instances accessible over the network. The repository also includes Go module files ('go.mod' and 'go.sum') for dependency management.

This repository is a Go-based proof-of-concept exploit for CVE-2025-14847 (Mongobleed), a memory disclosure vulnerability in MongoDB. The exploit consists of a single main code file (poc.go), a Go module definition (go.mod), and a detailed README.md. The exploit works by crafting a malformed BSON document, compressing it, and sending it as an OP_COMPRESSED message directly to a MongoDB server over TCP (default port 27017). The server's error responses are parsed to extract leaked memory fragments, which may contain sensitive information. The exploit does not require authentication and targets vulnerable MongoDB versions prior to the official patch. The code is standalone, does not rely on any exploit framework, and is intended for research and educational purposes only.

This repository contains an advanced exploit tool, MongoBleed-Pro, targeting CVE-2025-14847, a critical memory disclosure vulnerability in MongoDB's zlib compression. The main exploit is implemented in 'mongobleed_pro.py', a Python 3 script with a hacker-themed terminal UI. The tool allows unauthenticated remote attackers to extract memory from vulnerable MongoDB instances by sending crafted wire protocol messages that trigger a buffer over-read. It supports multi-threaded and bulk scanning, automatic vulnerability detection, and secret pattern recognition (AWS keys, API tokens, passwords, emails). Extracted data is saved to output files for further analysis. The repository also includes a README with detailed usage instructions, a requirements file for dependencies (rich library), and a license. The exploit is operational, providing real data extraction and secret detection capabilities, and is suitable for authorized security testing of MongoDB servers.

This repository contains an advanced exploit tool, 'MongoBleed-Pro', targeting CVE-2025-14847—a critical memory disclosure vulnerability in MongoDB's zlib compression handler. The main exploit file, 'mongobleed_pro.py', is a Python 3 script that connects to a specified MongoDB instance (default port 27017, but customizable), sends crafted wire protocol messages to trigger a buffer over-read, and extracts leaked memory from the server. The tool is multi-threaded, supports bulk scanning from a file, and automatically detects if a target is vulnerable before exploitation. It parses extracted memory for sensitive information such as AWS keys, API tokens, passwords, and emails, and saves both the raw dump and parsed secrets to output files ('dump_<host>.bin' and 'loot_<host>.txt'). The exploit is unauthenticated and works remotely, making it a high-impact tool for security testing. The repository also includes a README with detailed usage instructions, supported arguments, and mitigation advice for administrators. The code is operational, with a focus on practical exploitation and data extraction, and is not part of a larger exploit framework.

This repository contains a proof-of-concept (PoC) exploit for CVE-2025-14847 (MongoBleed), a critical unauthenticated memory disclosure vulnerability in MongoDB. The exploit is implemented in a single Python script (CVE-2025-14847.py) and is accompanied by a detailed README.md explaining the vulnerability, affected versions, exploitation steps, and mitigation advice. The exploit works by sending specially crafted zlib-compressed MongoDB wire protocol messages (OP_COMPRESSED) with intentionally inconsistent BSON lengths to a target MongoDB server. Vulnerable servers mishandle these messages, resulting in the disclosure of uninitialized heap memory in error responses. The script automates this process, iterating over a range of document lengths, parsing responses for leaked data, and saving unique memory fragments to a binary file. It also scans for common sensitive keywords (e.g., 'password', 'token') in the leaked data. The attack vector is network-based, requiring only TCP access to the MongoDB service (default port 27017). No authentication is required, making this a high-severity issue for exposed or unpatched servers. The exploit is a PoC and does not provide a weaponized or easily customizable payload, but it demonstrates the vulnerability's impact and can be used for authorized security testing or research. The repository is well-structured, with clear usage instructions, version targeting, and defensive guidance in the README. No hardcoded IPs or domains are present; the script takes the target host and port as arguments. The only file output is the leak dump (leaked_memory.bin).

This repository provides a proof-of-concept exploit for CVE-2025-14847, a critical heap memory disclosure vulnerability in MongoDB's zlib compression implementation. The exploit is implemented in Python (poc.py) and works by sending a specially crafted OP_COMPRESSED packet to a vulnerable MongoDB server, causing it to return uninitialized heap memory. The exploit does not require authentication and targets the network interface of MongoDB (default 127.0.0.1:27017, but can be changed). The repository includes a docker-compose.yml file to set up a vulnerable MongoDB 7.0.5 instance with zlib compression enabled, and an init-db.js script to initialize the database with CTF challenge data, including a flag and decoy data. The README.md provides detailed background on the vulnerability, affected versions, and remediation steps. The exploit is operational and demonstrates the ability to leak sensitive memory from the server, which is saved to a file for further analysis.