CVE-2023-0437
published 2024-01-12CVE-2023-0437: When calling bson_utf8_validate on some inputs a loop with an exit condition that cannot be reached may occur, i.e. an infinite loop. This issue affects All…
PriorityP339high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.10%
61.6th percentile
When calling bson_utf8_validate on some inputs a loop with an exit condition that cannot be reached may occur, i.e. an infinite loop. This issue affects All MongoDB C Driver versions prior to versions 1.25.0.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libbson-xs-perl | < libbson-xs-perl 0.8.4-2+deb12u1 (bookworm) | libbson-xs-perl 0.8.4-2+deb12u1 (bookworm) |
| debian | libbson-xs-perl | — | — |
| debian | mongo-c-driver | < libbson-xs-perl 0.8.4-2+deb12u1 (bookworm) | libbson-xs-perl 0.8.4-2+deb12u1 (bookworm) |
| mongodb | c_driver | < 1.25.0 | 1.25.0 |
| mongodb_inc | mongodb_c_driver | >= 1.0.0 < 1.25.0 | 1.25.0 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2025-40906: libbson-xs-perl - BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, w...
vendor_debian·2025·CVSS 7.5
CVE-2025-40906 [HIGH] CVE-2025-40906: libbson-xs-perl - BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, w...
BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities. Those include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755. BSON-XS was the official Perl XS implementation of MongoDB's BSON serialization, but this distribution has reached its end of life as of August 13, 2020 and is no longer supported.
Scope: local
bookworm: open
bullseye: open
Debian
CVE-2023-0437: libbson-xs-perl - When calling bson_utf8_validate on some inputs a loop with an exit condition tha...
vendor_debian·2023·CVSS 5.3
CVE-2023-0437 [MEDIUM] CVE-2023-0437: libbson-xs-perl - When calling bson_utf8_validate on some inputs a loop with an exit condition tha...
When calling bson_utf8_validate on some inputs a loop with an exit condition that cannot be reached may occur, i.e. an infinite loop. This issue affects All MongoDB C Driver versions prior to versions 1.25.0.
Scope: local
bookworm: resolved (fixed in 0.8.4-2+deb12u1)
bullseye: resolved (fixed in 0.8.4-1+deb11u1)
GHSA
GHSA-5pww-x83q-7gjh: BSON::XS versions 0
ghsa_unreviewed·2025-05-16·CVSS 7.5
CVE-2025-40906 [HIGH] CWE-1104 GHSA-5pww-x83q-7gjh: BSON::XS versions 0
BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities.
Those include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755.
BSON-XS was the official Perl XS implementation of MongoDB's BSON serialization, but this distribution has reached its end of life as of August 13, 2020 and is no longer supported.
OSV
CVE-2025-40906: BSON::XS versions 0
osv·2025-05-16·CVSS 7.5
CVE-2025-40906 [HIGH] CVE-2025-40906: BSON::XS versions 0
BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities. Those include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755. BSON-XS was the official Perl XS implementation of MongoDB's BSON serialization, but this distribution has reached its end of life as of August 13, 2020 and is no longer supported.
GHSA
GHSA-8549-4c5j-x7g2: When calling bson_utf8_validate on some inputs a loop with an exit condition that cannot be reached may occur, i
ghsa_unreviewed·2024-01-12
CVE-2023-0437 [MEDIUM] CWE-835 GHSA-8549-4c5j-x7g2: When calling bson_utf8_validate on some inputs a loop with an exit condition that cannot be reached may occur, i
When calling bson_utf8_validate on some inputs a loop with an exit condition that cannot be reached may occur, i.e. an infinite loop. This issue affects All MongoDB C Driver versions prior to versions 1.25.0.
OSV
CVE-2023-0437: When calling bson_utf8_validate on some inputs a loop with an exit condition that cannot be reached may occur, i
osv·2024-01-12·CVSS 7.5
CVE-2023-0437 [HIGH] CVE-2023-0437: When calling bson_utf8_validate on some inputs a loop with an exit condition that cannot be reached may occur, i
When calling bson_utf8_validate on some inputs a loop with an exit condition that cannot be reached may occur, i.e. an infinite loop. This issue affects All MongoDB C Driver versions prior to versions 1.25.0.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://jira.mongodb.org/browse/CDRIVER-4747https://lists.fedoraproject.org/archives/list/[email protected]/message/7GUVOAFZFSYTNBF6R7H4XJM5DHWBRQ6P/https://jira.mongodb.org/browse/CDRIVER-4747https://lists.debian.org/debian-lts-announce/2025/05/msg00012.htmlhttps://lists.debian.org/debian-lts-announce/2025/05/msg00027.htmlhttps://lists.fedoraproject.org/archives/list/[email protected]/message/7GUVOAFZFSYTNBF6R7H4XJM5DHWBRQ6P/
2024-01-12
Published