Post · bonfire.mavnn.eu

Post

@GossiTheDog@cyberplace.social · 6 hours ago

Merry Christmas to everybody, except that dude who works for Elastic, who decided to drop an unauthenticated exploit for MongoDB on Christmas Day, that leaks memory and automates harvesting secrets (e.g. database passwords)

CVE-2025-14847 aka MongoBleed

Exp: https://github.com/joe-desimone/mongobleed/blob/main/mongobleed.py

This one is incredibly widely internet facing and will very likely see mass exploitation and impactful incidents

Impacts every MongoDB version going back a decade.

Shodan dork: product:"MongoDB"

varx/tech

@varx@infosec.exchange replied · 3 hours ago

@GossiTheDog They were just doing Advent of Vulns.

Jonathan Kamens 86 47

@jik@federate.social replied · 5 hours ago

@GossiTheDog I am having a bit of trouble getting worked up about this.
The bug went public six days before Christmas. This means, frankly, that the folks who get paid to be bad actors, of which there are rather many nowadays, have had six days to figure out how to exploit it. I'm sure several of them had already figured it out before the Eclipse dude dropped the exploit.
By making the urgency of patching this issue clear, he has arguably done a public service.

Kevin Beaumont

@GossiTheDog@cyberplace.social replied · 3 hours ago

@jik nobody is telling you to get worked up 😅

(hic/haec/hoc)

@_hic_haec_hoc@fosstodon.org replied · 5 hours ago

@GossiTheDog every version going back a decade? Thank goodness we're ok then, ours is older 😎

T1- Push The Button

@Just_Patch_It@cyberplace.social replied · 5 hours ago

@GossiTheDog who the fuck exposes a DB directly to the internet?

Kevin Beaumont

@GossiTheDog@cyberplace.social replied · 5 hours ago

@Just_Patch_It about a quarter of a million orgs 😅

@nblr@chaos.social replied · 5 hours ago

@GossiTheDog .oO( Surely nobody exposes mongodb towards the inter-| OMGWTFBBQsrsly?

buherator

@buherator@infosec.place replied · 5 hours ago

@GossiTheDog Maybe you are confusing MariaDB with MongoDB in their relation to MySQL?

Omar Abu Asaker

@omarasaker@mastodon.social replied · 6 hours ago

@GossiTheDog

I’m Omar from Gaza 🇵🇸
If you’re able to share my story and donate, it would mean a lot🙏🏻

Kevin Beaumont

@GossiTheDog@cyberplace.social replied · 6 hours ago

The exploit is real and works, you can just run it and target specific offsets and/or keep running it until you get AWS secrets and such.

Dan Sugalski

@wordshaper@weatherishappening.network replied · 3 hours ago

@GossiTheDog Wait, wait, wait, they decided the best time to drop an "oh, we fucked up about a decade ago, here's a demo of how to use that fuckup to show how bad it is" was on goddamn Christmas Day? *Seriously*?

That's... well, ho ho ho, have some coal in your stocking, I guess.

RootWyrm 🇺🇦:progress:

@rootwyrm@weird.autos replied · 5 hours ago

@GossiTheDog sounds like this exploit is webscale!

https://www.youtube.com/watch?v=b2F-DItXtZs

Episode 1 - Mongo DB Is Web Scale

YouTube

Kevin Beaumont

@GossiTheDog@cyberplace.social replied · 6 hours ago

I did a quick write up: https://doublepulsar.com/merry-christmas-day-have-a-mongodb-security-incident-9537f54289eb

Medium

Merry Christmas Day! Have a MongoDB security incident.

Somebody from Elastic Security decided to post an exploit for CVE-2025–14847 on Christmas Day.

yopp

@alex@feed.yopp.me replied · 1 hour ago

@GossiTheDog it would be great to add note that you don’t have to upgrade right now.

Disabling zlib for network compression in enough to mitigate

Either:

a) Restart mongod/mongos with option --networkMessageCompressors=snappy,zstd
(omit zstd on 3.6 and 4.0)

b) Disable in mongod.conf and restart

net:
 compression:
 # (omit `zstd` on 3.6 and 4.0)
 compressors: snappy,zstd

And then plan upgrade after holidays

@edbo@mastodon.social replied · 2 hours ago

@GossiTheDog Publishing an exploit on Christmas Day and not providing any info on how to detect exploitation is just the most stupid thing for a security vendor to do...

Kevin Beaumont

@GossiTheDog@cyberplace.social replied · 2 hours ago

@edbo in fairness I think it's their personal account.. they've just put where they work everywhere so it's a bit odd looking optics wise 😅

@edbo@mastodon.social replied · 35 minutes ago

@GossiTheDog Ah okay, still bad but makes a bit more senae

Simon Michalke

@simon_m@infosec.exchange replied · 5 hours ago

@GossiTheDog

Does this count as yet another result of null terminated Strings being the most expensive architectural design choice that was ever made?

Denis G

@Dev_Soft@privacysafe.social replied · 6 hours ago

@GossiTheDog Hello, are you developer?

Alan Miller :verified_paw: 🇺🇦

@fencepost@infosec.exchange replied · 6 hours ago

@GossiTheDog crappy timing but looks like it was a bit earlier than that. https://jira.mongodb.org/browse/SERVER-115508

Kevin Beaumont

@GossiTheDog@cyberplace.social replied · 6 hours ago

@fencepost the vulnerability yes, not the exploit.

ada

@ada@beige.party replied · 6 hours ago

@GossiTheDog
At least they have the decency to wait till Christmas unlike log4j

NosirrahSec 🏴‍☠️ guillotine enthusiast

@NosirrahSec@infosec.exchange replied · 6 hours ago

@GossiTheDog
Me, unemployed right now: 😎

vascorsd

@vascorsd@mastodon.social replied · 6 hours ago

@GossiTheDog it really is the best time. If I had the power to discover and release stuff like this I would do it always during these times of the year. Such a power move