{"id":24,"date":"2025-12-30T03:50:14","date_gmt":"2025-12-30T03:50:14","guid":{"rendered":"https:\/\/rknreports.com\/?p=24"},"modified":"2025-12-30T03:50:15","modified_gmt":"2025-12-30T03:50:15","slug":"mongodb-serious-bug-mongobleed","status":"publish","type":"post","link":"https:\/\/rknreports.com\/?p=24","title":{"rendered":"MongoDB serious bug ‘mongobleed’"},"content":{"rendered":"\n

MongoDB’s CTO Jim Scharf writes a straightforward post<\/a> outlining how the bug was found and how they rolled it out and fixed it. Bravo for a great response and timeline. <\/p>\n\n\n\n

\n

The vulnerability was discovered internally by MongoDB Security Engineering as part of our proactive and continuously evolving security program. Over the last several years, we have increased our investment in people, processes, and technology to analyse and improve our codebase continuously. This work is ongoing, and discoveries like this reinforce the importance of sustained focus in this area.<\/p>\n<\/blockquote>\n\n\n\n

Kudos to them for finding, reporting, and fixing this very serious bug with the level of transparency they did. My big complaint is how poorly communicated how bad this bug is. See this post by Stanislav Kozlovski’s Big Data Stream blog<\/a><\/p>\n\n\n\n

\n

It allows an attacker to read off any uninitialized heap memory, meaning anything<\/strong><\/em> that was allocated to memory from a previous database operation could be read.<\/p>\n\n\n\n

The bug was introduced in 20172<\/a>. It is dead-easy to exploit – it only requires connectivity to the database (no auth needed). It is fixed as of writing, but some EOL versions (3.6, 4.0, 4.2) will not get it.<\/p>\n<\/blockquote>\n\n\n\n

Being clear about how bad the bug is helps users and administrators understand how they should prioritize fixing these things.<\/p>\n","protected":false},"excerpt":{"rendered":"

MongoDB’s CTO Jim Scharf writes a straightforward post outlining how the bug was found and how they rolled it out and fixed it. Bravo for a great response and timeline. The vulnerability was discovered internally by MongoDB Security Engineering as part of our proactive and continuously evolving security program. Over the last several years, we […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-24","post","type-post","status-publish","format-standard","hentry","category-vulnerabilities"],"yoast_head":"\nMongoDB serious bug 'mongobleed' - RKN Reports<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/rknreports.com\/?p=24\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"MongoDB serious bug 'mongobleed' - RKN Reports\" \/>\n<meta property=\"og:description\" content=\"MongoDB’s CTO Jim Scharf writes a straightforward post outlining how the bug was found and how they rolled it out and fixed it. Bravo for a great response and timeline. The vulnerability was discovered internally by MongoDB Security Engineering as part of our proactive and continuously evolving security program. Over the last several years, we […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/rknreports.com\/?p=24\" \/>\n<meta property=\"og:site_name\" content=\"RKN Reports\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-30T03:50:14+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-12-30T03:50:15+00:00\" \/>\n<meta name=\"author\" content=\"thehigherlife\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"thehigherlife\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/rknreports.com\\\/?p=24#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/rknreports.com\\\/?p=24\"},\"author\":{\"name\":\"thehigherlife\",\"@id\":\"http:\\\/\\\/rknreports.com\\\/#\\\/schema\\\/person\\\/be8044fa7929103c45551112d7b14ce8\"},\"headline\":\"MongoDB serious bug ‘mongobleed’\",\"datePublished\":\"2025-12-30T03:50:14+00:00\",\"dateModified\":\"2025-12-30T03:50:15+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/rknreports.com\\\/?p=24\"},\"wordCount\":218,\"articleSection\":[\"vulnerabilities\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/rknreports.com\\\/?p=24\",\"url\":\"https:\\\/\\\/rknreports.com\\\/?p=24\",\"name\":\"MongoDB serious bug 'mongobleed' - RKN Reports\",\"isPartOf\":{\"@id\":\"http:\\\/\\\/rknreports.com\\\/#website\"},\"datePublished\":\"2025-12-30T03:50:14+00:00\",\"dateModified\":\"2025-12-30T03:50:15+00:00\",\"author\":{\"@id\":\"http:\\\/\\\/rknreports.com\\\/#\\\/schema\\\/person\\\/be8044fa7929103c45551112d7b14ce8\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/rknreports.com\\\/?p=24#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/rknreports.com\\\/?p=24\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/rknreports.com\\\/?p=24#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"http:\\\/\\\/rknreports.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"MongoDB serious bug ‘mongobleed’\"}]},{\"@type\":\"WebSite\",\"@id\":\"http:\\\/\\\/rknreports.com\\\/#website\",\"url\":\"http:\\\/\\\/rknreports.com\\\/\",\"name\":\"RKN Reports\",\"description\":\"A well curated list of the Cyber News.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"http:\\\/\\\/rknreports.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"http:\\\/\\\/rknreports.com\\\/#\\\/schema\\\/person\\\/be8044fa7929103c45551112d7b14ce8\",\"name\":\"thehigherlife\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/24e4e0374521a9fa7b118bdbb507e4e634d507efe5433b6794dc5da65c48f729?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/24e4e0374521a9fa7b118bdbb507e4e634d507efe5433b6794dc5da65c48f729?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/24e4e0374521a9fa7b118bdbb507e4e634d507efe5433b6794dc5da65c48f729?s=96&d=mm&r=g\",\"caption\":\"thehigherlife\"},\"sameAs\":[\"https:\\\/\\\/rknreports.com\"],\"url\":\"https:\\\/\\\/rknreports.com\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"MongoDB serious bug 'mongobleed' - RKN Reports","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/rknreports.com\/?p=24","og_locale":"en_US","og_type":"article","og_title":"MongoDB serious bug 'mongobleed' - RKN Reports","og_description":"MongoDB’s CTO Jim Scharf writes a straightforward post outlining how the bug was found and how they rolled it out and fixed it. Bravo for a great response and timeline. The vulnerability was discovered internally by MongoDB Security Engineering as part of our proactive and continuously evolving security program. Over the last several years, we […]","og_url":"https:\/\/rknreports.com\/?p=24","og_site_name":"RKN Reports","article_published_time":"2025-12-30T03:50:14+00:00","article_modified_time":"2025-12-30T03:50:15+00:00","author":"thehigherlife","twitter_card":"summary_large_image","twitter_misc":{"Written by":"thehigherlife","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/rknreports.com\/?p=24#article","isPartOf":{"@id":"https:\/\/rknreports.com\/?p=24"},"author":{"name":"thehigherlife","@id":"http:\/\/rknreports.com\/#\/schema\/person\/be8044fa7929103c45551112d7b14ce8"},"headline":"MongoDB serious bug ‘mongobleed’","datePublished":"2025-12-30T03:50:14+00:00","dateModified":"2025-12-30T03:50:15+00:00","mainEntityOfPage":{"@id":"https:\/\/rknreports.com\/?p=24"},"wordCount":218,"articleSection":["vulnerabilities"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/rknreports.com\/?p=24","url":"https:\/\/rknreports.com\/?p=24","name":"MongoDB serious bug 'mongobleed' - RKN Reports","isPartOf":{"@id":"http:\/\/rknreports.com\/#website"},"datePublished":"2025-12-30T03:50:14+00:00","dateModified":"2025-12-30T03:50:15+00:00","author":{"@id":"http:\/\/rknreports.com\/#\/schema\/person\/be8044fa7929103c45551112d7b14ce8"},"breadcrumb":{"@id":"https:\/\/rknreports.com\/?p=24#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/rknreports.com\/?p=24"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/rknreports.com\/?p=24#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"http:\/\/rknreports.com\/"},{"@type":"ListItem","position":2,"name":"MongoDB serious bug ‘mongobleed’"}]},{"@type":"WebSite","@id":"http:\/\/rknreports.com\/#website","url":"http:\/\/rknreports.com\/","name":"RKN Reports","description":"A well curated list of the Cyber News.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"http:\/\/rknreports.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"http:\/\/rknreports.com\/#\/schema\/person\/be8044fa7929103c45551112d7b14ce8","name":"thehigherlife","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/24e4e0374521a9fa7b118bdbb507e4e634d507efe5433b6794dc5da65c48f729?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/24e4e0374521a9fa7b118bdbb507e4e634d507efe5433b6794dc5da65c48f729?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/24e4e0374521a9fa7b118bdbb507e4e634d507efe5433b6794dc5da65c48f729?s=96&d=mm&r=g","caption":"thehigherlife"},"sameAs":["https:\/\/rknreports.com"],"url":"https:\/\/rknreports.com\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/rknreports.com\/index.php?rest_route=\/wp\/v2\/posts\/24","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rknreports.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rknreports.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rknreports.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rknreports.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=24"}],"version-history":[{"count":1,"href":"https:\/\/rknreports.com\/index.php?rest_route=\/wp\/v2\/posts\/24\/revisions"}],"predecessor-version":[{"id":25,"href":"https:\/\/rknreports.com\/index.php?rest_route=\/wp\/v2\/posts\/24\/revisions\/25"}],"wp:attachment":[{"href":"https:\/\/rknreports.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=24"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rknreports.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=24"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rknreports.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=24"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}