by FridgeSeal
0 subcomment
- Current link points straight to the Python code without a lot of context, so here’s the top of the readme:
> CVE-2025-14847 - MongoDB Unauthenticated Memory Leak Exploit
> A proof-of-concept exploit for the MongoDB zlib decompression vulnerability that allows unauthenticated attackers to leak sensitive server memory.
- What an awful vulnerability. The most interesting fact is that this has been there since the PR that introduced it in 2017[1].
I'm not sure how Mongo's review process works, but it seems like this one had zero review.
[1] - https://github.com/mongodb/mongo/pull/1152
- The problem is that about 20% of mongodb users are still on v4 for which not patch has been provided since it reach end of support on Feb 2024...
- Do people usually run Mongo in a mode that allows unauthenticated calls? I don’t know anything about Mongo. This just seems surprising.
by FrostKiwi
1 subcomments
- This is astronomical. If I correctly understood, the full on compromise of Ubisoft happened because of this.
- Good write ups:
https://doublepulsar.com/merry-christmas-day-have-a-mongodb-...
https://blog.ecapuano.com/p/hunting-mongobleed-cve-2025-1484...
- Luckily most people wouldn't use zlib anyway, they'd use snappy or zstd, and this also requires authenticated access to the cluster ....
Hacker News