MongoDB Server Security Update, December 2025

 (mongodb.com)

33 points | by plorkyeran 2 hours ago

3 comments

  • gberger 1 hour ago
    Why did it take them 4 days between publishing a CVE for the vulnerability (Dec 19th) and posting a public patch (Dec 23rd)?
    [-]
    • joecool1029 1 hour ago
      Had their hands full getting sued the same day: https://news.ycombinator.com/item?id=46403128
    • cebert 1 hour ago
      In the US, the last two weeks of December can be slow due to the holiday season. I wouldn’t be surprised if Mongo wasn’t as staffed as usual.
    • computerfan494 1 hour ago
      That's a good question. I suppose that posting the commit makes it incredibly obvious how to exploit the issue, so maybe they wanted to wait a little bit longer for their on-prem users who were slow to patch?
      [-]
      • philipwhiuk 45 minutes ago
        Posting the CVE and then the patch is the reverse of this.
        [-]
        • computerfan494 38 minutes ago
          By "patch" I am talking about the public commit. Updated binaries were made available when the CVE was published.
  • macintux 1 hour ago
    1 day ago, 116 comments: https://news.ycombinator.com/item?id=46414475
  • bethekidyouwant 1 hour ago
    Who has mongo open to the internet?
    [-]