Merry Christmas to everybody, except that dude who works for Elastic, who decided to drop an unauthenticated exploit for MongoDB on Christmas Day, that leaks memory and automates harvesting secrets (e.g. database passwords)

CVE-2025-14847 aka MongoBleed

Exp: https://github.com/joe-desimone/mongobleed/blob/main/mongobleed.py

This one is incredibly widely internet facing and will very likely see mass exploitation and impactful incidents

Impacts every MongoDB version going back a decade.

Shodan dork: product:"MongoDB"

@GossiTheDog oh for fuck's sake, what an asshole time to drop that one

@GossiTheDog
At least they have the decency to wait till Christmas unlike log4j

The exploit is real and works, you can just run it and target specific offsets and/or keep running it until you get AWS secrets and such.

@GossiTheDog crappy timing but looks like it was a bit earlier than that. https://jira.mongodb.org/browse/SERVER-115508

@fencepost the vulnerability yes, not the exploit.

I did a quick write up: https://doublepulsar.com/merry-christmas-day-have-a-mongodb-security-incident-9537f54289eb

@GossiTheDog Maybe you are confusing MariaDB with MongoDB in their relation to MySQL?

@buherator fair, I edited the MySQL word out

@GossiTheDog .oO( Surely nobody exposes mongodb towards the inter-| OMGWTFBBQsrsly?

@GossiTheDog who the fuck exposes a DB directly to the internet?

@Just_Patch_It about a quarter of a million orgs 😅

@nblr @GossiTheDog ofc not, I bet on aistartups and governments :3
All information should be FREE!
Except the personal one ;-)

@GossiTheDog sounds like this exploit is webscale!

https://www.youtube.com/watch?v=b2F-DItXtZs

@rootwyrm @GossiTheDog YOU CAN'T STOP IT ANYMORE

@GossiTheDog https://www.mongodb.com/community/forums/t/important-mongodb-patch-available/332977 all of mongodbs hosted servers are patched for folks running on atlas.

@GossiTheDog I am having a bit of trouble getting worked up about this.
The bug went public six days before Christmas. This means, frankly, that the folks who get paid to be bad actors, of which there are rather many nowadays, have had six days to figure out how to exploit it. I'm sure several of them had already figured it out before the Eclipse dude dropped the exploit.
By making the urgency of patching this issue clear, he has arguably done a public service.

@jik nobody is telling you to get worked up 😅

@GossiTheDog They were just doing Advent of Vulns.