24h | 7d | 30d

CVE-2025-14847

Overview

  • MongoDB Inc.
  • MongoDB Server
19 Dec 2025
Published
19 Dec 2025
Updated
CVSS v4.0
HIGH (8.7)
EPSS
0.04%
KEV

Description

Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.

Statistics

  • 9 Posts
Last activity: 7 hours ago

Bluesky

Profile picture
guardian360.bsky.social @guardian360.bsky.social
The vulnerability, tracked as CVE-2025-14847 (CVSS score: 8.7), has been described as a case of improper handling of length parameter inconsistency, which arises when a program fails to appropriately tackle scenarios where a length field is inconsistent with the actual length of
  • 0
  • 0
  • 0
  • 22h ago
Profile picture
/r/netsec @r-netsec-bot.bsky.social
Mongobleed - CVE-2025-14847
  • 0
  • 0
  • 2
  • 22h ago
Profile picture
nixpkgs security changes @nixpkgssecuritychanges.gerbet.me
[25.05] mongodb*: mark vulnerable to CVE-2025-14847 https://github.com/NixOS/nixpkgs/pull/474530 #security
  • 0
  • 0
  • 0
  • 20h ago
Profile picture
WarthogTK @warthogtk.bsky.social
CVE-2025-14847 - MongoDB Unauthenticated Memory Leak Exploit A proof-of-concept exploit for the MongoDB zlib decompression vulnerability that allows unauthenticated attackers to leak sensitive server memory github.com/joe-desimone...
  • 0
  • 0
  • 1
  • 19h ago
Profile picture
Securitycipher @securitycipher.bsky.social
MongoBleed (CVE‑2025‑14847): A Pre‑Auth MongoDB Memory Leak You Can Hunt at Scale https://medium.com/@Black1hp/mongobleed-cve-2025-14847-a-pre-auth-mongodb-memory-leak-you-can-hunt-at-scale-c8faa00f2bdd?source=rss------bug_bounty-5
  • 0
  • 0
  • 0
  • 13h ago
Profile picture
SANS.edu Internet Storm Center @sansisc.bsky.social
SANS Stormcast Sunday, December 28th, 2025: MongoDB Unauthenticated Memory Leak CVE-2025-14847 https://isc.sans.edu/podcastdetail/9750
  • 0
  • 0
  • 0
  • 7h ago

CVE-2025-68664

Overview

  • langchain-ai
  • langchain
23 Dec 2025
Published
24 Dec 2025
Updated
CVSS v3.1
CRITICAL (9.3)
EPSS
0.05%
KEV

Description

LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5.

Statistics

  • 3 Posts
  • 2 Interactions
Last activity: 7 hours ago

Fediverse

Profile picture
ekiledjian @edwardk

A critical vulnerability in LangChain Core (CVE-2025-68664) allows prompt injection and data exposure by enabling attackers to instantiate unsafe objects during serialization and deserialization. This flaw, affecting widely used functions, can lead to secret leakage and potential code execution, with patches available in versions 1.2.5 and 0.3.81.
securityaffairs.com/186185/hac

  • 1
  • 1
  • 0
  • 11h ago
Profile picture
maschmi @inw

Critical LangChain Core Vulnerability Exposes Secrets via Serialization Injection

thehackernews.com/2025/12/crit

> A critical LangChain Core vulnerability (CVE-2025-68664, CVSS 9.3) allows secret theft and prompt injection through unsafe serialization; updates fix

#LangChain #unsafeDeserialization

  • 0
  • 0
  • 0
  • 23h ago

Bluesky

Profile picture
CyberHub @cyberhub.blog
📌 Critical Vulnerability in LangChain Core (CVE-2025-68664) Enables Prompt Injection Attacks https://www.cyberhub.blog/article/17302-critical-vulnerability-in-langchain-core-cve-2025-68664-enables-prompt-injection-attacks
  • 0
  • 0
  • 0
  • 7h ago

CVE-2025-54322

Overview

  • Xspeeder
  • SXZOS
27 Dec 2025
Published
27 Dec 2025
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
Pending
KEV

Description

Xspeeder SXZOS through 2025-12-26 allows root remote code execution via base64-encoded Python code in the chkid parameter to vLogin.py. The title and oIP parameters are also used.

Statistics

  • 2 Posts
  • 2 Interactions
Last activity: 19 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

🔴 CVE-2025-54322 - Critical (10)

Xspeeder SXZOS through 2025-12-26 allows root remote code execution via base64-encoded Python code in the chkid parameter to vLogin.py. The title and oIP parameters are also used.

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda

  • 1
  • 0
  • 0
  • 21h ago

Bluesky

Profile picture
Cyber Kendra @cyberkendra.com
🤖 AI just found its first zero-day vulnerability. CVE-2025-54322 affects 70,000+ industrial network devices worldwide. No authentication needed. Root access. Full Details - www.cyberkendra.com/2025/12/ai-a... #Cybersecurity #AI #ZeroDay #InfoSec #IndustrialSecurity #TechNews #AIHacking
  • 1
  • 0
  • 0
  • 19h ago

CVE-2025-55182

Overview

  • Meta
  • react-server-dom-webpack
03 Dec 2025
Published
11 Dec 2025
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
46.72%
KEV

Description

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Statistics

  • 2 Posts
  • 1 Interaction
Last activity: Last hour

Fediverse

Profile picture
Cybersecurity & cyberwarfare @cybersecurity

Cloudflare’s Outages and Why Cool Kids Test on Prod

Every system administrator worth their salt knows that the right way to coax changes to network infrastructure onto a production network is to first validate it on a Staging network: a replica of the Production (Prod) network. Meanwhile all the developers who are working on upcoming changes are safely kept in their own padded safety rooms in the form of Test, Dev and similar, where Test tends to be the pre-staging phase and Dev is for new-and-breaking changes. This is what anyone should use, and yet Cloudflare apparently deems itself too cool for such a rational, time-tested approach based on their latest outage.

In their post-mortem on the December 5th outage, they describe how they started doing a roll-out of a change to React Server Components (RSC), to allow for a 1 MB buffer to be used as part of addressing the critical CVE-2025-55182 in RSC. During this roll-out on Prod, it was discovered that a testing tool didn’t support the increased buffer size and it was decided to globally disable it, bypassing the gradual roll-out mechanism.

This follows on the recent implosion at Cloudflare when their brand-new, Rust-based FL2 proxy keeled over when it encountered a corrupted input file. This time, disabling the testing tool created a condition in the original Lua-based FL1 where a NIL value was encountered, after which requests through this proxy began to fail with HTTP 500 errors. The one saving grace here is that the issue was detected and corrected fairly quickly, unlike when the FL2 proxy fell over due to another issue elsewhere in the network and it took much longer to diagnose and fix.

Aside from Cloudflare clearly having systemic issues with actually testing code and validating configurations prior to ‘testing’ on Prod, this ought to serve as a major warning to anyone else who feels that a ‘quick deployment on Prod’ isn’t such a big deal. Many of us have dealt with companies where testing and development happened on Staging, and the real staging on Prod. Even if it’s management-enforced, that doesn’t help much once stuff catches on fire and angry customers start lighting up the phone queue.

hackaday.com/2025/12/28/cloudf…

  • 0
  • 0
  • 0
  • Last hour

Bluesky

Profile picture
CyberHub @cyberhub.blog
📌 CVE-2025-55182 React Server Components Remote Code Execution Vulnerability Analysis https://www.cyberhub.blog/article/17296-cve-2025-55182-react-server-components-rce-vulnerability-analysis
  • 0
  • 1
  • 0
  • 9h ago

CVE-2025-9615

Overview

  • Pending
Pending
Published
Pending
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post
  • 12 Interactions
Last activity: 13 hours ago

Fediverse

Profile picture
AerynOS.com @AerynOS

Unstable stream updates: 27th December 2025

Declarative moss system-model export and import tech preview features

Moss now has the ability to use a declarative `/etc/moss/system-model.kdl` to define installed packages and repositories.

In addition, for users who prefer the classic "imperative" moss experience, it is now possible to `moss state --export` a `system-model.kdl` file of the current system to share with others.

In turn, it is also possible to one-shot `moss sync --import` an existing `system-model.kdl` file.

These features are delivered as a tech preview.

Boulder package recipe version string requirements

The Boulder packaging tool now checks for a valid recipe version string (= anything starting with an integer) and errors out if the version string is not valid.

This is necessary because our `ent` package update checking tool compares version strings to determine whether packages need an update, and will give false positives if we have a version string that looks like e.g. `v0.1.2` (note the `v`).

Highlights

- KDE Frameworks 6.21.0
- KMSCon 9.2.1 (currently not enabled by default)
- NVIDIA graphics driver 590.48.01
- discord 0.0.119
- gamescope 3.16.18
- gstreamer 1.26.10
- linux 6.17.13
- mesa 25.3.2
- sudo-rs 0.2.11
- uutils-coreutils 0.5.0
- vlc 3.22
- vscode-bin 1.107.0
- vscodium 1.107.18627
- wine 11.0-rc3
- zed 0.217.3

Other updates

Other updates include, but are not limited to:

- fastfetch
- inetutils
- inputplumber
- libdrm
- libva
- ryzenadj
- solaar
- tzdata
- wireplumber

Fixes

- Disabled LTO for the build of our recipe version checking tool `ent`, which makes `ent check updates` actually work.
- Fixed a sudo issue where using Super+T to open a cosmic-terminal in a Cosmic sesion would make sudo unable to find any commands
- Made cosmic-greeter fall back to branded background

Security Fixes:

- Patches to networkmanager and networkmanager-openvpn for CVE-2025-9615

New packages

- font-awesome-ttf 6.7.2
- lsd 1.2.0 (next gen ls command)
- swayidle 1.9.0
- yazi 25.5.31 (terminal file manager)
- yubikey-manager 5.8.0

github.com/orgs/AerynOS/discus

#AerynOS #Linux #Rust

  • 5
  • 7
  • 0
  • 13h ago

CVE-2025-50165

Overview

  • Microsoft
  • Windows Server 2025 (Server Core installation)
12 Aug 2025
Published
21 Nov 2025
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
3.84%
KEV

Description

Untrusted pointer dereference in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network.

Statistics

  • 1 Post
  • 3 Interactions
Last activity: 5 hours ago

Fediverse

Profile picture
Patrick C Miller :donor: @patrickcmiller

Revisiting CVE‑2025‑50165: A critical flaw in Windows Imaging Component welivesecurity.com/en/eset-res

  • 2
  • 1
  • 0
  • 5h ago

CVE-2025-13654

Overview

  • Duc
  • Duc
05 Dec 2025
Published
05 Dec 2025
Updated
CVSS
Pending
EPSS
0.05%
KEV

Description

A stack buffer overflow vulnerability exists in the buffer_get function of duc, a disk management tool, where a condition can evaluate to true due to underflow, allowing an out-of-bounds read.

Statistics

  • 1 Post
Last activity: 23 hours ago

Bluesky

Profile picture
ferramentaslinux.bsky.social @ferramentaslinux.bsky.social
🔐 Patch Alert for #openSUSE: CVE-2025-13654, a buffer logic error in the 'duc' utility, has been fixed in version 1.4.6. Affects SLE-15-SP7 Backports. Read more: 👉 tinyurl.com/2ezx4vuw #Security
  • 0
  • 0
  • 0
  • 23h ago

CVE-2025-66738

Overview

  • Pending
26 Dec 2025
Published
27 Dec 2025
Updated
CVSS
Pending
EPSS
0.04%
KEV

Description

An issue in Yealink T21P_E2 Phone 52.84.0.15 allows a remote normal privileged attacker to execute arbitrary code via a crafted request the ping function of the diagnostic component.

Statistics

  • 1 Post
Last activity: 19 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

🟠 CVE-2025-66738 - High (8.8)

An issue in Yealink T21P_E2 Phone 52.84.0.15 allows a remote normal privileged attacker to execute arbitrary code via a crafted request the ping function of the diagnostic component.

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda

  • 0
  • 0
  • 0
  • 19h ago

CVE-2025-67499

Overview

  • containernetworking
  • plugins
09 Dec 2025
Published
10 Dec 2025
Updated
CVSS v3.1
MEDIUM (6.6)
EPSS
0.01%
KEV

Description

The CNI portmap plugin allows containers to emulate opening a host port, forwarding that traffic to the container. Versions 1.6.0 through 1.8.0 inadvertently forward all traffic with the same destination port as the host port when the portmap plugin is configured with the nftables backend, thus ignoring the destination IP. This includes traffic not intended for the node itself, i.e. traffic to containers hosted on the node. Containers that request HostPort forwarding can intercept all traffic destined for that port. This requires that the portmap plugin be explicitly configured to use the nftables backend. This issue is fixed in version 1.9.0. To workaround, configure the portmap plugin to use the iptables backend. It does not have this vulnerability.

Statistics

  • 1 Post
Last activity: 23 hours ago

Bluesky

Profile picture
ferramentaslinux.bsky.social @ferramentaslinux.bsky.social
New security advisory: #Fedora 43 has released an urgent patch for SingularityCE, addressing CVE-2025-67499. Read more: 👉 tinyurl.com/3cejjy2e #Security
  • 0
  • 0
  • 0
  • 23h ago

CVE-2025-13008

Overview

  • M-Files Corporation
  • M-Files Server
19 Dec 2025
Published
19 Dec 2025
Updated
CVSS v4.0
HIGH (8.6)
EPSS
0.05%
KEV

Description

An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5 allows an authenticated attacker using M-Files Web to capture session tokens of other active users.

Statistics

  • 1 Post
Last activity: 20 hours ago

Fediverse

Profile picture
TechNadu @technadu

M-Files has released patches for CVE-2025-13008, an information disclosure vulnerability involving session token exposure between authenticated users.

The issue affects several release branches and could allow impersonation within M-Files Web under specific conditions.

No exploitation has been observed publicly, but the potential impact on document confidentiality is notable.

This reinforces the need for:

• Strong session controls
• Log review for unusual user behavior
• Prompt patch deployment

Follow @technadu for unbiased, technically grounded security updates.

Source : cybersecuritynews.com/m-files-

  • 0
  • 0
  • 0
  • 20h ago
Showing 1 to 10 of 10 CVEs