CPANSA-BSON-XS-2025-40906: BSON-XS vulnerability

Publisher giterlizzi Document category csaf_security_advisory
Initial release date 2025-05-16T00:00:00 Engine CSAF Perl Toolkit 0.25
Current release date 2025-05-16T00:00:00 Build Date
Current version 1 Status final
CVSS v3.1 Base Score 9.8 Severity Critical
Original language Language en
Also referred to

Vulnerability Description

BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities. Those include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755. BSON-XS was the official Perl XS implementation of MongoDB's BSON serialization, but this distribution has reached its end of life as of August 13, 2020 and is no longer supported.

Vulnerabilities

CVE-2025-40906

Vulnerability Description

BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities.

Those include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755.

BSON-XS was the official Perl XS implementation of MongoDB's BSON serialization, but this distribution has reached its end of life as of August 13, 2020 and is no longer supported.

Weakness CWE-1104 : Use of Unmaintained Third Party Components

Product status

Known affected
Product Score
BSON-XS less than or equal 0.8.4
CVSS Version CVSS Vector CVSS Base Score CVSS Base Severity
3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 9.8 Critical

CVE-2017-14227

Vulnerability Description

In MongoDB libbson 1.7.0, the bson_iter_codewscope function in bson-iter.c miscalculates a bson_utf8_validate length argument, which allows remote attackers to cause a denial of service (heap-based buffer over-read in the bson_utf8_validate function in bson-utf8.c), as demonstrated by bson-to-json.c.

Weakness CWE-125 : Out-of-bounds Read

Product status

Known affected
Product Score
BSON-XS less than or equal 0.8.4
CVSS Version CVSS Vector CVSS Base Score CVSS Base Severity
3.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5 High
2.0 AV:N/AC:L/Au:N/C:N/I:N/A:P 5.0 Medium

CVE-2018-16790

Vulnerability Description

_bson_iter_next_internal in bson-iter.c in libbson 1.12.0, as used in MongoDB mongo-c-driver and other products, has a heap-based buffer over-read via a crafted bson buffer.

Weakness CWE-125 : Out-of-bounds Read

Product status

Known affected
Product Score
BSON-XS less than or equal 0.8.4
CVSS Version CVSS Vector CVSS Base Score CVSS Base Severity
3.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H 8.1 High
2.0 AV:N/AC:M/Au:N/C:P/I:N/A:P 5.8 Medium

CVE-2023-0437

Vulnerability Description

When calling bson_utf8_validate on some inputs a loop with an exit condition that cannot be reached may occur, i.e. an infinite loop. This issue affects All MongoDB C Driver versions prior to versions 1.25.0.

Weakness CWE-835 : Loop with Unreachable Exit Condition ('Infinite Loop')

Product status

Known affected
Product Score
BSON-XS less than or equal 0.8.4
CVSS Version CVSS Vector CVSS Base Score CVSS Base Severity
3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 5.3 Medium

CVE-2024-6381

Vulnerability Description

The bson_strfreev function in the MongoDB C driver library may be susceptible to an integer overflow where the function will try to free memory at a negative offset. This may result in memory corruption. This issue affected libbson versions prior to 1.26.2

Weakness CWE-680 : Integer Overflow to Buffer Overflow

Product status

Known affected
Product Score
BSON-XS less than or equal 0.8.4
CVSS Version CVSS Vector CVSS Base Score CVSS Base Severity
3.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 4.0 Medium

CVE-2024-6383

Vulnerability Description

The bson_string_append function in MongoDB C Driver may be vulnerable to a buffer overflow where the function might attempt to allocate too small of buffer and may lead to memory corruption of neighbouring heap memory. This issue affects libbson versions prior to 1.27.1

Weakness CWE-122 : Heap-based Buffer Overflow

Product status

Known affected
Product Score
BSON-XS less than or equal 0.8.4
CVSS Version CVSS Vector CVSS Base Score CVSS Base Severity
3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 5.3 Medium

CVE-2025-0755

Vulnerability Description

The various bson_append functions in the MongoDB C driver library may be susceptible to buffer overflow when performing operations that could result in a final BSON document which exceeds the maximum allowable size (INT32_MAX), resulting in a segmentation fault and possible application crash. This issue affected libbson versions prior to 1.27.5, MongoDB Server v8.0 versions prior to 8.0.1 and MongoDB Server v7.0 versions prior to 7.0.16

Weakness CWE-122 : Heap-based Buffer Overflow

Product status

Known affected
Product Score
BSON-XS less than or equal 0.8.4
CVSS Version CVSS Vector CVSS Base Score CVSS Base Severity
3.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 8.4 High

giterlizzi

Namespace: https://github.com/giterlizzi/

gdt@cpan.org

References

Revision history

Version Date of the revision Summary of the revision
1 Fri May 16 00:00:00 2025 First release

Sharing rules

TLP:WHITE
For the TLP version see: https://www.first.org/tlp/