MongoBleed

(github.com)

41 points by gpi4 hours ago

2 comments

FridgeSeal28 minutes ago
Current link points straight to the Python code without a lot of context, so here’s the top of the readme:<p>> CVE-2025-14847 - MongoDB Unauthenticated Memory Leak Exploit<p>> A proof-of-concept exploit for the MongoDB zlib decompression vulnerability that allows unauthenticated attackers to leak sensitive server memory.
dpark1 hour ago
Do people usually run Mongo in a mode that allows unauthenticated calls? I don’t know anything about Mongo. This just seems surprising.
- erdaniels56 minutes ago
  No, but it's pretty common IME to create an Atlas cluster that has internet-wide access (0.0.0.0/0) when testing and forgetting to turn this off. According to <a href="https://jira.mongodb.org/browse/SERVER-115508" rel="nofollow">https://jira.mongodb.org/browse/SERVER-115508</a>, this affects unauthenticated ops. Based on the repro code itself, it looks like this happens way before authentication is checked for the corresponding OP at the OP_MSG decoding level.<p>So if you're using Atlas, check that your Cluster has auto upgraded already. If you're using 0.0.0.0/0, stop doing that and prefer a limited IP address range and even better, use VPC Peering or other security/network boundary features.
  - computerfan49436 minutes ago
    We received communication that all Atlas clusters were upgraded with the fix before the vulnerability was announced.
- giancarlostoro1 hour ago
  Its default is to only take connections that are local, usually I have my mongo clients SSH into a mongo server as opposed to opening up the port to the internet. Some Mongo users / collections are very open by default.<p>It has been a minute since I used Mongo for production grade projects, so some things could have changed since then.