Comment by gberger

15 hours ago

Why did it take them 4 days between publishing a CVE for the vulnerability (Dec 19th) and posting a public patch (Dec 23rd)?

7 comments

gberger

joecool1029 14 hours ago

Had their hands full getting sued the same day: https://news.ycombinator.com/item?id=46403128

cebert 14 hours ago

In the US, the last two weeks of December can be slow due to the holiday season. I wouldn’t be surprised if Mongo wasn’t as staffed as usual.

tanduv 11 hours ago

should've spun up a few more AI agents

theteapot 12 hours ago

Might not be how it appears. The CVE number can be reserved by the org and then "published" with only minimal info, then later update with full details. Looking at the meta data that's probably what happened here (not entirely sure what the update was though):

    {
    "cveId": "CVE-2025-14847",
    "assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
    "state": "PUBLISHED",
    "assignerShortName": "mongodb",
    "dateReserved": "2025-12-17T18:56:21.301Z",
    "datePublished": "2025-12-19T11:00:22.465Z",
    "dateUpdated": "2025-12-29T23:20:23.813Z"
    }

computerfan494 14 hours ago

That's a good question. I suppose that posting the commit makes it incredibly obvious how to exploit the issue, so maybe they wanted to wait a little bit longer for their on-prem users who were slow to patch?

philipwhiuk 13 hours ago
Posting the CVE and then the patch is the reverse of this.
- computerfan494 13 hours ago
  
  By "patch" I am talking about the public commit. Updated binaries were made available when the CVE was published.