CouchDB Weekly News, January 26, 2017

Major Discussions

[ANNOUNCEMENT] couch-chakra, a CouchDB Query Server Runtime build with ChakraCore (see thread)

Daniel Munch rewrote the Query Server component of CouchDB in ChakraCore, Microsoft’s Open Source JavaScript engine.

ransom note – couchdb exploit / privilege escalation? (see thread)

A heads up on the recent exploits turns into a brief discussion on 3.0.

Releases in the CouchDB Universe


  • express-pouchdb 2.2.0 – Express submodule with a CouchDB style REST interface to PouchDB.
  • pouch-cli 0.0.1 – A Node.js CLI powered by PouchDB that let you do basic commands on your CouchDB,Cloudant and PouchDB databases.

Opinions and other News in the CouchDB Universe

… and in the PouchDB Universe

CouchDB Use Cases, Questions and Answers

Use Case:

  • couchdb-otp – Experiment to OTPify CouchDB for embedded use in Erlang applications

Stack Overflow:

no public answer yet:

PouchDB Use Cases, Questions and Answers

Stack Overflow:

no public answer yet:

For more new questions and answers about CouchDB, see these search results and about PouchDB, see these.

Get involved!

If you want to get into working on CouchDB:

  • We have an infinite number of open contributor positions on CouchDB. Submit a pull request and join the project!
  • Do you want to help us with the work on the new CouchDB website? Get in touch on our new website mailing list and join the website team! –
  • The CouchDB advocate marketing programme is just getting started. Join us in CouchDB’s Advocate Hub!
  • CouchDB has a new wiki. Help us move content from the old to the new one!
  • Can you help with Web Design, Development or UX for our Admin Console? No Erlang skills required! – Get in touch with us.
  • Do you want to help moving the CouchDB docs translation forward? We’d love to have you in our L10n team! See our current status and languages we’d like to provide CouchDB docs in on this page. If you’d like to help, don’t hesitate to contact the L10n mailing list on or ping Andy Wenk (awenkhh on IRC).

We’d be happy to welcome you on board!


Job opportunities for people with CouchDB skills

Time to relax with some quick videos

… and also in the news

CouchDB Ransom Notes

Dear CouchDB Community,

You may have seen a news item[1] about CouchDB in the past few days. There is a trend of finding unsecured public databases, deleting all the data in them, and asking for a ransom to restore the data. This has been going on with MongoDB for a while, now Hadoop and CouchDB joined the list of affected database products.

One of CouchDB’s design goals is ease-of-use. That lead us to decide on easy to access security defaults for CouchDB. Namely the famous Admin Party (every request is considered coming from an administrator). To make sure this isn’t a security issue, CouchDB by default also only binds to the local loopback network interface and we recommend creating an admin account before making CouchDB accessible from the public.

As far as we can tell for now, the affected CouchDB instances have been in Admin Party mode and publicly accessible. As a result we are reiterating the documented best practice: Do not run CouchDB without an admin account on a public network interface. Make sure to choose a strong password for the admin account.

For CouchDB 2.0 and onwards, we already make the creation of the admin account part of the cluster setup, but users can still choose to ignore this step. For future CouchDB versions (3.x and onwards), we are currently taking steps to make things even more secure by default and make it even harder (if not impossible) to run an insecure CouchDB instance in production.

We are also working with the security researches that are doing widespread investigations into this issue to see if there are any other issues that we can address on the CouchDB side.

If you have any questions, please contact the user’s list

If you want to report an intrusion into a CouchDB instance that you can prove has been secured with an admin account and associated security measures (like TLS), or if you have any other useful information pertaining to this issue, please contact, our private security reporting mailing list.


Jan Lehnardt, Vice President of Apache CouchDB