CVE-2025-14847: MongoBleed

29 points by Cajunvoodoo

mdaniel

I was going to say "sure, but who would expose Mongo to the Internet" but yet again I fail to imagine the laziness of developers https://www.shodan.io/search?query=port%3A27017+MongoDB

poptart

If there was one thing that penetration testing taught me, it was that people will absolutely expose anything to the internet and often for baffling reasons.
wildfire

IIUC, Ubisoft did this and is paying the price.

alper

it trusts the user’s input and uses that as the canonical size of the payload

In order to be helpful, the response contains an error message that shows which field was invalid

A perfect 1-2. I'm really mouth open after reading this. Don't see one like this very often.

topicpartition

For 8 years no less

olliej

I’m curious what happens on iOS and macOS as both ostensibly always return zeroed memory from malloc, etc (ostensibly because I recall some articles that said that the way it is done means an overrun prior to calloc will return unzeroed memory)

topicpartition

What an awful vulnerability. I'm a bit surprised it isn't getting more publicity - must be the holiday season.

The most interesting fact is that this has been there since the PR that introduced it in 2017[1]. I'm not sure how Mongo's review process works, but it seems like this one had zero public review.

[1] - https://github.com/mongodb/mongo/pull/1152

einacio

Well, heartbleed was plublicized on 2014, so by 2017 people learned it well, and nobody would think they could still introduce the same bug on new code, so no review would be needed