MongoDB Server Security Update, December 2025

 (mongodb.com)

51 points | by plorkyeran 4 hours ago

7 comments

  • kryogen1c 51 minutes ago
    >proactive [...] security program

    Idk how proactive patching an exploited-in-the-wild unauth RCE is, but pr statements gonna pr i guess.

    >This [...] vuln is not a breach or compromise of MongoDB

    IANAL, but this seems like a pretty strong stance to take? Who exactly are you blaming here?

    >vulnerability was discovered internally >detected the issue

    Interesting choice of words. I wonder if their SIEM/SOC discovered a compromise, or if someone detected a tweet.

    >December 12–14 – We worked continuously

    It took 72 clock hours, assumably hundreds of man hours, to fix a malloc use after free and cstring null term bug? Maybe the user input field length part was a major design point??

    >dec 12 "detect" the issue, dec 19 cve, dec 23 first post

    Boy this sure seems like a long time for a first communication for a guaranteed compromise if internet facing bug.

    Not sure there's a security tool in the world that would stop data exfiltration via protocol error logs.

  • gberger 3 hours ago
    Why did it take them 4 days between publishing a CVE for the vulnerability (Dec 19th) and posting a public patch (Dec 23rd)?
    [-]
    • joecool1029 2 hours ago
      Had their hands full getting sued the same day: https://news.ycombinator.com/item?id=46403128
    • theteapot 51 minutes ago
      Might not be how it appears. The CVE number can be reserved by the org and then "published" with only minimal info, then later update with full details. Looking at the meta data that's probably what happened here (not entirely sure what the update was though):

          {
    "cveId": "CVE-2025-14847",
    "assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
    "state": "PUBLISHED",
    "assignerShortName": "mongodb",
    "dateReserved": "2025-12-17T18:56:21.301Z",
    "datePublished": "2025-12-19T11:00:22.465Z",
    "dateUpdated": "2025-12-29T23:20:23.813Z"
    }
    • cebert 3 hours ago
      In the US, the last two weeks of December can be slow due to the holiday season. I wouldn’t be surprised if Mongo wasn’t as staffed as usual.
    • computerfan494 3 hours ago
      That's a good question. I suppose that posting the commit makes it incredibly obvious how to exploit the issue, so maybe they wanted to wait a little bit longer for their on-prem users who were slow to patch?
      [-]
      • philipwhiuk 2 hours ago
        Posting the CVE and then the patch is the reverse of this.
        [-]
        • computerfan494 2 hours ago
          By "patch" I am talking about the public commit. Updated binaries were made available when the CVE was published.
  • macintux 3 hours ago
    1 day ago, 116 comments: https://news.ycombinator.com/item?id=46414475
  • vivzkestrel 1 hour ago
    if you are using mongodb in 2026 you deserve everything headed in your direction
  • bethekidyouwant 3 hours ago
    Who has mongo open to the internet?
    [-]
    • Culonavirus 4 minutes ago
      listen, I'm not saying the venn diagram between people who use mongo and people who would open it to the internet is a circle, but there is... ahem... a big overlap
    • ctxc 41 minutes ago
      Acc to a comment I read elsewhere, it's in the thousands (shodan result)
    • matt3210 3 hours ago
      Ubisoft does
      [-]
  • empressplay 41 minutes ago
    lol Mongo

    Seriously.

    Mongo?

  • freakynit 1 hour ago
    Gemini generated explanation and simulation of MongoBleed: https://gemini.google.com/share/3529c5bb7d38

    Reference: https://bigdata.2minutestreaming.com/p/mongobleed-explained-...