MongoBleed

https://github.com/joe-desimone/mongobleed/blob/main/mongobleed.py

124•gpi•1mo ago

Comments

dpark•1mo ago

Do people usually run Mongo in a mode that allows unauthenticated calls? I don’t know anything about Mongo. This just seems surprising.

giancarlostoro•1mo ago

Its default is to only take connections that are local, usually I have my mongo clients SSH into a mongo server as opposed to opening up the port to the internet. Some Mongo users / collections are very open by default.

It has been a minute since I used Mongo for production grade projects, so some things could have changed since then.

ehnto•1mo ago

I don't think I would be comfortable serving any DB over the internet these days, exploit scanners are so agressand ubiquitous that a breach would feel inevitable.

Not that it is fool proof, but if I am setting up the infrastructure I can probably control where the DB is deployed, so I would colocate it with the application servers on a local network or virtual local network, that is all I would be comfortable with.

erdaniels•1mo ago

No, but it's pretty common IME to create an Atlas cluster that has internet-wide access (0.0.0.0/0) when testing and forgetting to turn this off. According to https://jira.mongodb.org/browse/SERVER-115508, this affects unauthenticated ops. Based on the repro code itself, it looks like this happens way before authentication is checked for the corresponding OP at the OP_MSG decoding level.

So if you're using Atlas, check that your Cluster has auto upgraded already. If you're using 0.0.0.0/0, stop doing that and prefer a limited IP address range and even better, use VPC Peering or other security/network boundary features.

computerfan494•1mo ago

We received communication that all Atlas clusters were upgraded with the fix before the vulnerability was announced.

yearolinuxdsktp•1mo ago

This is a good example of a benefit of certificate-based authentication option for MongoDB, because you need to at least present a valid client certificate to transmit any data.

nailer•1mo ago

> No, but it's pretty common IME to create an Atlas cluster that has internet-wide access (0.0.0.0/0) when testing and forgetting to turn this off.

That is a ridiculous default.

winstonwinston•1mo ago

When vulnerability description says “unauthenticated exploit” that means that you can exploit without being required to authenticate first. It means it just works even with authentication being required on the server.

When it says “authenticated exploit” it means you need to pass authentication first in order to trigger exploit whatever it may be.

FridgeSeal•1mo ago

Current link points straight to the Python code without a lot of context, so here’s the top of the readme:

> CVE-2025-14847 - MongoDB Unauthenticated Memory Leak Exploit

> A proof-of-concept exploit for the MongoDB zlib decompression vulnerability that allows unauthenticated attackers to leak sensitive server memory.

winrid•1mo ago

Luckily most people wouldn't use zlib anyway, they'd use snappy or zstd, and this also requires authenticated access to the cluster ....

mirashii•1mo ago

> authenticated access to the cluster

No it doesn’t.

> they'd use snappy or zstd

What is being used more doesn’t matter, what’s compiled in and enabled matters.

spzb•1mo ago

Good write ups:

https://doublepulsar.com/merry-christmas-day-have-a-mongodb-...

https://blog.ecapuano.com/p/hunting-mongobleed-cve-2025-1484...

enether•1mo ago

What an awful vulnerability. The most interesting fact is that this has been there since the PR that introduced it in 2017[1].

I'm not sure how Mongo's review process works, but it seems like this one had zero review.

[1] - https://github.com/mongodb/mongo/pull/1152

FrostKiwi•1mo ago

This is astronomical. If I correctly understood, the full on compromise of Ubisoft happened because of this.

spaquet•1mo ago

The problem is that about 20% of mongodb users are still on v4 for which not patch has been provided since it reach end of support on Feb 2024...

beembeem•1mo ago

Incorrect, the company patched 4.4 on 12/19/25 with a special 4.4.30 release:

https://www.mongodb.com/docs/v4.4/release-notes/4.4/#4.4.30-...

A Tale of Two Standards, POSIX and Win32 (2005)

Ask HN: Is the Downfall of SaaS Started?

Flirt: The Native Backend

OpenAI's Latest Platform Targets Enterprise Customers

Goldman Sachs taps Anthropic's Claude to automate accounting, compliance roles

Ai.com bought by Crypto.com founder for $70M in biggest-ever website name deal

Big Tech's AI Push Is Costing More Than the Moon Landing

The AI boom is causing shortages everywhere else

Suno, AI Music, and the Bad Future [video]

Ask HN: How are researchers using AlphaFold in 2026?

Running the "Reflections on Trusting Trust" Compiler

Watermark API – $0.01/image, 10x cheaper than Cloudinary

Now send your marketing campaigns directly from ChatGPT

Queueing Theory v2: DORA metrics, queue-of-queues, chi-alpha-beta-sigma notation

Show HN: Hibana – choreography-first protocol safety for Rust

Haniri: A live autonomous world where AI agents survive or collapse

GPT-5.3-Codex System Card [pdf]

Atlas: Manage your database schema as code

Geist Pixel

Show HN: MCP to get latest dependency package and tool versions

The better you get at something, the harder it becomes to do

Show HN: WP Float – Archive WordPress blogs to free static hosting

Show HN: I Hacked My Family's Meal Planning with an App

Sony BMG copy protection rootkit scandal

The Future of Systems

NASA now allowing astronauts to bring their smartphones on space missions

Claude Code Is the Inflection Point

Show HN: MicroClaw – Agentic AI Assistant for Telegram, Built in Rust

Show HN: Omni-BLAS – 4x faster matrix multiplication via Monte Carlo sampling

The AI-Ready Software Developer: Conclusion – Same Game, Different Dice