FFAStrans forum

Forum for questions and answers, bug reporting, feature requeste, and general usage
https://ffastrans.com/frm/forum/

Embedded MongoDB 6.0.3 vulnerability in WebInterface

https://ffastrans.com/frm/forum/viewtopic.php?t=1711

Page 1 of 1

Embedded MongoDB 6.0.3 vulnerability in WebInterface

Posted: Thu Mar 12, 2026 11:48 am
by rmatulka
Hi,

CrowdStrike recently flagged a vulnerability related to MongoDB 6.0.3 (e.g. MongoBleed / CVE-2025-14847) on a server running FFAStrans WebInterface.

In our setup the WebInterface server.exe starts an internal mongod process which listens only on 127.0.0.1:8010 (localhost). Because the database is not exposed externally, the vulnerability does not appear to be exploitable in this configuration.

However, since the embedded MongoDB version is 6.0.3, security scanners still report it as vulnerable.

Could you confirm:

Which MongoDB version is currently bundled with the latest WebInterface release?

Whether there are plans to update the embedded MongoDB runtime in an upcoming version?


BTW
Thank you emcodem for the great job!

Re: Embedded MongoDB 6.0.3 vulnerability in WebInterface

Posted: Thu Mar 12, 2026 12:34 pm
by emcodem
Nice first post, welcome to the forum and thank you for using ffastrans :)
Exactly, to keep things simple, webint writes the mongo binary (version as you say) at startup to the current users temp folder and starts up mongod.exe from there. Its not guaranteed to run on 8010, it will check which port is available between 8010 and 8020 or so. (to support multiple webints on same host)
I did experiment with updating the database binary but i didnt yet actually do it because it was a hassle to upgrade existing databases without losing data. Also it appeared to me that there is no benefit at all from the upgrade besides "running on a newer version".

However, if theres a CVE open, i'll look into upgrading it now.
I'll do it pretty quick and update you once i got something for download, its time to release the most recentv ersion anyways, it's much better than the current release.

Maybe interesting for you, there is a way to provide your own mongod.exe, i believe by just placing it in the database folder... but as mongo is usually not fully backward compatible, i would not even try to go down this road if i was you...

Re: Embedded MongoDB 6.0.3 vulnerability in WebInterface

Posted: Tue Apr 14, 2026 9:46 am
by rmatulka
Hi,
Thank you for your answer. I am sharing CVE https://www.cve.org/CVERecord?id=CVE-2025-14847

Re: Embedded MongoDB 6.0.3 vulnerability in WebInterface

Posted: Tue Apr 14, 2026 10:09 am
by emcodem
The latest update already includes the updated database binaries (first updated version 1.4.0.277)
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited