Hello and welcome to the Sunday December 28, 2025 edition of the Sands

Inundated Storm Centers Stormcast. My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

And this episode is brought you by the sands.edu undergraduate certificate program in cybersecurity fundamentals.

Sadly, we do have, well, in a little bit, one of those special Christmas presents that we got here

that required me to do after summary consideration, a special podcast, at least want to get it out there and make

you decide whether or not this is something that's important or critical for you.

The problem here is MongoDB.

On the 24th, a patch was released for MongoDB, so well, a Christmas gift patch.

Problem was that this patch also fixed a critical vulnerability in MongoDB,

a memory leak issue or really a memory disclosure issue.

The vulnerability is a little bit like heart bleed.

So what's happening here is that MongoDB does accept Bison formatted data. Bson binary JSON,

so it's not JSON, it's sort of a more binary encoded form of JSON that also allows for compression.

Well, with compression, we always have the issue that length of things change as it's being decompressed

and we have to track this. Usually, you know, this has in the past that caused many, many

buffer overflows. This one is different where the buffer size being reported back is actually

the size of the entire allocated memory, not just the size of the memory that was actually used.

And it's in particular if a Bison file was parsed by MongoDB that, well, did lie a little bit about its content link.

So what's happening with that extra memory?

Well, it's going to be filled with essentially random allocated memory for the MongoDB

process. That may contain any MongoDB data that's available there, including, of course,

secrets like keys and the like, and definitely data that you don't want to leak.

...