This script is designed to exploit the heap memory disclosure vulnerability known as CVE-2025-14847 ("MongoBleed") in MongoDB Server. By sending specially crafted zlib-compressed OP_MSG packets with an inflated document length, the script tricks the server into returning uninitialized heap memory in its response. This can leak sensitive information such as: The script continuously sends probes with varying offsets and prints newly observed leaked strings in real time. It suppresses duplicates to keep output clean and readable.
The original PoC by Joe Desimone performs a single pass over a defined offset range, collects all unique fragments, saves them to a file, and optionally highlights interesting patterns at the end.
| Version | Affected | Fixed |
|---|---|---|
| 8.2.x | 8.2.0 - 8.2.2 | 8.2.3 |
| 8.0.x | 8.0.0 - 8.0.16 | 8.0.17 |
| 7.0.x | 7.0.0 - 7.0.27 | 7.0.28 |
| 6.0.x | 6.0.0 - 6.0.26 | 6.0.27 |
| 5.0.x | 5.0.0 - 5.0.31 | 5.0.32 |
Note
To ensure a clean and isolated environment for the project dependencies, it's recommended to use Python's venv module.
git clone https://github.com/joshuavanderpoll/CVE-2025-14847.git
cd CVE-2025-14847
python3 -m venv .venv
source .venv/bin/activategit clone https://github.com/joshuavanderpoll/CVE-2025-14847.git
cd CVE-2025-14847
python -m venv .venv
.venv\Scripts\activatepython3 CVE-2025-14847.py --host 127.0.0.1 --port 27017
This tool is provided for educational and research purposes only. The creator assumes no responsibility for any misuse or damage caused by the tool.