MongoDB Server Security Update, December 2025

 (mongodb.com)

27 points | by plorkyeran 1 hour ago

3 comments

  • gberger 1 hour ago
    Why did it take them 4 days between publishing a CVE for the vulnerability (Dec 19th) and posting a public patch (Dec 23rd)?
    [-]
    • joecool1029 24 minutes ago
      Had their hands full getting sued the same day: https://news.ycombinator.com/item?id=46403128
    • cebert 1 hour ago
      In the US, the last two weeks of December can be slow due to the holiday season. I wouldn’t be surprised if Mongo wasn’t as staffed as usual.
    • computerfan494 1 hour ago
      That's a good question. I suppose that posting the patch makes it incredibly obvious how to exploit the issue, so maybe they wanted to wait a little bit longer for their on-prem users who were slow to patch?
      [-]
      • philipwhiuk 6 minutes ago
        Posting the CVE and then the patch is the reverse of this.
  • macintux 1 hour ago
    1 day ago, 116 comments: https://news.ycombinator.com/item?id=46414475
  • bethekidyouwant 1 hour ago
    Who has mongo open to the internet?
    [-]