Security: Docker MongoDB exposed on 0.0.0.0:27017 allows ransomware attacks

[ebowwa]

Security Issue

MongoDB container is started with port binding to 0.0.0.0:27017 instead of 127.0.0.1:27017, exposing the database to the public internet.

Impact

Automated ransomware scanners found the open MongoDB instance and created a ransom database:

• Ransom DB name: READ__ME_TO_RECOVER_YOUR_DATA
• Demanded: 0.0051 BTC
• Deadline: 48 hours

Root Cause

MentraOS cloud package depends on:

• mongodb: ^6.13.0
• mongoose: ^6.5.2

The Docker/run scripts start MongoDB with default port binding to all interfaces.

Recommendation

Bind MongoDB to localhost only:

ports:
  - "127.0.0.1:27017:27017`  # instead of "27017:27017"

Or tailscale recommendation

Evidence

scroll up on this thread

[Jayyk09]

The docker-compose files don't include MongoDB directly, but the docs show an insecure example that users would copy. The vulnerability is in the documentation example in local-setup.mdx. I would still go ahead and make a PR to improve the docs.

PR #1773