Aptible incident

CVE-2025-14847: MongoDB unauthenticated information leak

Notice Resolved View vendor source →

Aptible experienced a notice incident on December 30, 2025 affecting Aptible Deploy, lasting 15h 1m. The incident has been resolved; the full update timeline is below.

Started
Dec 30, 2025, 02:14 AM UTC
Resolved
Dec 30, 2025, 05:15 PM UTC
Duration
15h 1m
Detected by Pingoru
Dec 30, 2025, 02:14 AM UTC

Affected components

Aptible Deploy

Update timeline

  1. monitoring Dec 30, 2025, 02:14 AM UTC

    The Aptible Security Team is aware of the recently disclosed vulnerability CVE-2025-14847 (https://github.com/advisories/GHSA-4742-mr57-2r9j) affected all MongoDB versions. The vulnerability could allow an attacker with network access to a MongoDB database to exfiltrate data, including sensitive data and/or credentials, without authenticating to the database. In response to the vulnerability, we have updated our supported MongoDB versions to prevent exploitations of this vulnerability. In addition, we have proactively restarted databases matching either of the following criteria, to ensure they are running on the latest protected versions: * All databases in shared-tenancy stacks, and * All databases with customer-created public endpoints that do not have access restricted to an IP allow list Since Aptible databases run on private networks by default, most Aptible managed MongoDB databases are not accessible from the internet or by other Aptible customers, and so are not vulnerable to CVE-2025-14847. As such, we did not proactively restart these databases. Customers may restart their databases at any time to update to the latest protected versions.

  2. resolved Dec 30, 2025, 05:15 PM UTC

    This incident has been resolved.