CPANSA-BSON-XS-2025-40906: BSON-XS vulnerability
Publisher |
giterlizzi |
Document category |
csaf_security_advisory |
Initial release date |
2025-05-16T00:00:00 |
Engine |
CSAF Perl Toolkit 0.25 |
Current release date |
2025-05-16T00:00:00 |
Build Date |
|
Current version |
1 |
Status |
final |
CVSS v3.1 Base Score |
9.8
|
Severity |
Critical
|
Original language |
|
Language |
en |
Also referred to |
|
Vulnerability Description
BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities. Those include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755. BSON-XS was the official Perl XS implementation of MongoDB's BSON serialization, but this distribution has reached its end of life as of August 13, 2020 and is no longer supported.
Vulnerabilities
CVE-2025-40906
Vulnerability DescriptionBSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities.
Those include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755.
BSON-XS was the official Perl XS implementation of MongoDB's BSON serialization, but this distribution has reached its end of life as of August 13, 2020 and is no longer supported.
Weakness |
CWE-1104 : Use of Unmaintained Third Party Components
|
Product status
Known affected
Product |
Score |
BSON-XS less than or equal 0.8.4 |
|
CVE-2017-14227
Vulnerability DescriptionIn MongoDB libbson 1.7.0, the bson_iter_codewscope function in bson-iter.c miscalculates a bson_utf8_validate length argument, which allows remote attackers to cause a denial of service (heap-based buffer over-read in the bson_utf8_validate function in bson-utf8.c), as demonstrated by bson-to-json.c.
Weakness |
CWE-125 : Out-of-bounds Read
|
Product status
Known affected
Product |
Score |
BSON-XS less than or equal 0.8.4 |
|
CVE-2018-16790
Vulnerability Description_bson_iter_next_internal in bson-iter.c in libbson 1.12.0, as used in MongoDB mongo-c-driver and other products, has a heap-based buffer over-read via a crafted bson buffer.
Weakness |
CWE-125 : Out-of-bounds Read
|
Product status
Known affected
Product |
Score |
BSON-XS less than or equal 0.8.4 |
|
CVE-2023-0437
Vulnerability DescriptionWhen calling bson_utf8_validate on some inputs a loop with an exit condition that cannot be reached may occur, i.e. an infinite loop. This issue affects All MongoDB C Driver versions prior to versions 1.25.0.
Weakness |
CWE-835 : Loop with Unreachable Exit Condition ('Infinite Loop')
|
Product status
Known affected
Product |
Score |
BSON-XS less than or equal 0.8.4 |
|
CVE-2024-6381
Vulnerability DescriptionThe bson_strfreev function in the MongoDB C driver library may be susceptible to an integer overflow where the function will try to free memory at a negative offset. This may result in memory corruption. This issue affected libbson versions prior to 1.26.2
Weakness |
CWE-680 : Integer Overflow to Buffer Overflow
|
Product status
Known affected
Product |
Score |
BSON-XS less than or equal 0.8.4 |
|
CVE-2024-6383
Vulnerability DescriptionThe bson_string_append function in MongoDB C Driver may be vulnerable to a buffer overflow where the function might attempt to allocate too small of buffer and may lead to memory corruption of neighbouring heap memory. This issue affects libbson versions prior to 1.27.1
Weakness |
CWE-122 : Heap-based Buffer Overflow
|
Product status
Known affected
Product |
Score |
BSON-XS less than or equal 0.8.4 |
|
CVE-2025-0755
Vulnerability DescriptionThe various bson_append functions in the MongoDB C driver library may be susceptible to buffer overflow when performing operations that could result in a final BSON document which exceeds the maximum allowable size (INT32_MAX), resulting in a segmentation fault and possible application crash. This issue affected libbson versions prior to 1.27.5, MongoDB Server v8.0 versions prior to 8.0.1 and MongoDB Server v7.0 versions prior to 7.0.16
Weakness |
CWE-122 : Heap-based Buffer Overflow
|
Product status
Known affected
Product |
Score |
BSON-XS less than or equal 0.8.4 |
|
giterlizzi
Namespace: https://github.com/giterlizzi/
gdt@cpan.org
References
Revision history
Version |
Date of the revision |
Summary of the revision |
1 |
Fri May 16 00:00:00 2025 |
First release |
Sharing rules
TLP:WHITE
For the TLP version see: https://www.first.org/tlp/