CVE-2025-40906

BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities

CVSS 9.8 CRITICALEPSS 0.5%CWE-1104 CWE-122 CWE-1395 CWE-190

In short

BSON::XS, a Perl library for handling MongoDB data format, bundles an outdated version of libbson with multiple known security flaws. Using this library exposes your application to several serious vulnerabilities that attackers can exploit.

Technical detail

BSON::XS ≤0.8.4 bundles libbson 1.1.7 which contains multiple unpatched CVEs including buffer overflows, integer overflows, and memory corruption issues (CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, CVE-2025-0755). The library reached end-of-life in August 2020 and receives no security updates; exploitation occurs through malformed BSON input during deserialization.

Summary generated and translated by AI from the official description.

BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities. Those include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755. BSON-XS was the official Perl XS implementation of MongoDB's BSON serialization, but this distribution has reached its end of life as of August 13, 2020 and is no longer supported.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

MONGODB · BSON::XS

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://lists.debian.org/debian-lts-announce/2025/05/msg00012.html https://www.mongodb.com/community/forums/t/mongodb-perl-driver-end-of-life/7890