HN

Comments (40)

• Menu

  kryogen1c
  >proactive [...] security programIdk how proactive patching an exploited-in-the-wild unauth RCE is, but pr statements gonna pr i guess.>This [...] vuln is not a breach or compromise of MongoDBIANAL, but this seems like a pretty strong stance to take? Who exactly are you blaming here?>vulnerability was discovered internally >detected the issueInteresting choice of words. I wonder if their SIEM/SOC discovered a compromise, or if someone detected a tweet.>December 12–14 – We worked continuouslyIt took 72 clock hours, assumably hundreds of man hours, to fix a malloc use after free and cstring null term bug? Maybe the user input field length part was a major design point??>dec 12 "detect" the issue, dec 19 cve, dec 23 first postBoy this sure seems like a long time for a first communication for a guaranteed compromise if internet facing bug.Not sure there's a security tool in the world that would stop data exfiltration via protocol error logs.
• Menu

  gberger
  Why did it take them 4 days between publishing a CVE for the vulnerability (Dec 19th) and posting a public patch (Dec 23rd)?
• macintux
  1 day ago, 116 comments: https://news.ycombinator.com/item?id=46414475
• Menu

  vivzkestrel
  if you are using mongodb in 2026 you deserve everything headed in your direction
• Menu

  bethekidyouwant
  Who has mongo open to the internet?
• cpursley
  Obligatory ("Postgres is Enough"): https://gist.github.com/cpursley/c8fb81fe8a7e5df038158bdfe0f...
• empressplay
  [flagged]
• freakynit
  Gemini generated explanation and simulation of MongoBleed: https://gemini.google.com/share/3529c5bb7d38Reference: https://bigdata.2minutestreaming.com/p/mongobleed-explained-...