Should I worry about MongoDB Vulnerability CVE-2025-14847

swheeler78

There's been a lot of headlines about this in the tech world. Surprised it hasn't shown up here.

https://thehackernews.com/2025/12/mongodb-vulnerability-cve-2025-14847.html

https://www.bleepingcomputer.com/news/security/exploited-mongobleed-flaw-leaks-mongodb-secrets-87k-servers-exposed/

nebulon

If I understand this correctly, this would require access to the database (although unauthorized) in the first place. In Cloudron mongodb (like the other services/addons) are not exposed to the public internet. Only apps have access to and those already get a set of credentials anyways. So unless an app is attempting to exploit this, which would mean the app itself is already compromised, I don't see how this affects Cloudron deployments.

If anyone has more insights or understanding here, this would be good to know.

swheeler78

Ok, That's what I thought. But I figured I'd ask.

girish

We already fixed this - https://git.cloudron.io/platform/box/-/commit/a02e933375e5ef6b833029acee1bae969e1203fe . We are working on a final update to 9.0 with various UI fixes and this change will be part of that (i.e 9.0.16).