[gberger]

Why did it take them 4 days between publishing a CVE for the vulnerability (Dec 19th) and posting a public patch (Dec 23rd)?

[joecool1029]

Had their hands full getting sued the same day: https://news.ycombinator.com/item?id=46403128

[theteapot]

Might not be how it appears. The CVE number can be reserved by the org and then "published" with only minimal info, then later update with full details. Looking at the meta data that's probably what happened here (not entirely sure what the update was though):

    {
    "cveId": "CVE-2025-14847",
    "assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
    "state": "PUBLISHED",
    "assignerShortName": "mongodb",
    "dateReserved": "2025-12-17T18:56:21.301Z",
    "datePublished": "2025-12-19T11:00:22.465Z",
    "dateUpdated": "2025-12-29T23:20:23.813Z"
    }

[cebert]

In the US, the last two weeks of December can be slow due to the holiday season. I wouldn’t be surprised if Mongo wasn’t as staffed as usual.

[tanduv]

should've spun up a few more AI agents

[computerfan494]

That's a good question. I suppose that posting the commit makes it incredibly obvious how to exploit the issue, so maybe they wanted to wait a little bit longer for their on-prem users who were slow to patch?

[philipwhiuk]

Posting the CVE and then the patch is the reverse of this.

[computerfan494]

By "patch" I am talking about the public commit. Updated binaries were made available when the CVE was published.

[philipwhiuk]

That's not what the blog post implies given they only told people how to update aftwards.