13 comments

[ 2.6 ms ] story [ 33.0 ms ] thread
Why did it take them 4 days between publishing a CVE for the vulnerability (Dec 19th) and posting a public patch (Dec 23rd)?
Who has mongo open to the internet?
Many people who use MongoDB Atlas (or other hosted MongoDB services) alongside a PaaS like Heroku that doesn’t offer static IPs or ranges.
if you are using mongodb in 2026 you deserve everything headed in your direction
And can you explain why? I think not. What's the superior alternative, for every use case?
>proactive [...] security program

Idk how proactive patching an exploited-in-the-wild unauth RCE is, but pr statements gonna pr i guess.

>This [...] vuln is not a breach or compromise of MongoDB

IANAL, but this seems like a pretty strong stance to take? Who exactly are you blaming here?

>vulnerability was discovered internally >detected the issue

Interesting choice of words. I wonder if their SIEM/SOC discovered a compromise, or if someone detected a tweet.

>December 12–14 – We worked continuously

It took 72 clock hours, assumably hundreds of man hours, to fix a malloc use after free and cstring null term bug? Maybe the user input field length part was a major design point??

>dec 12 "detect" the issue, dec 19 cve, dec 23 first post

Boy this sure seems like a long time for a first communication for a guaranteed compromise if internet facing bug.

Not sure there's a security tool in the world that would stop data exfiltration via protocol error logs.

" >proactive [...] security program Idk how proactive patching an exploited-in-the-wild unauth RCE is, but pr statements gonna pr i guess. "

If you follow their history, especially the jepsen analysis and the whole back and forth, you will find a pattern.

> Boy this sure seems like a long time for a first communication for a guaranteed compromise if internet facing bug.

If you still run MongoDB facing the internet you have bigger problems.

We used MongoDB's cloud offering (Atlas) and have had nothing but problems with it. Like, serious problems - "production down for multiple days" problems caused entirely by MongoDB messing up SSL certificates on their end. We were utterly powerless to do anything and their support was dreadful. I cannot take their products seriously now.