CVE-2025-0755
published 2025-03-18CVE-2025-0755: The various bson_append functions in the MongoDB C driver library may be susceptible to buffer overflow when performing operations that could result in a final…
PriorityP342high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.73%
49.8th percentile
The various bson_append functions in the MongoDB C driver library may be susceptible to buffer overflow when performing operations that could result in a final BSON document which exceeds the maximum allowable size (INT32_MAX), resulting in a segmentation fault and possible application crash. This issue affected libbson versions prior to 1.27.5, MongoDB Server v8.0 versions prior to 8.0.1 and MongoDB Server v7.0 versions prior to 7.0.16
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libbson-xs-perl | < libbson-xs-perl 0.8.4-2+deb12u1 (bookworm) | libbson-xs-perl 0.8.4-2+deb12u1 (bookworm) |
| debian | libbson-xs-perl | — | — |
| debian | mongo-c-driver | < libbson-xs-perl 0.8.4-2+deb12u1 (bookworm) | libbson-xs-perl 0.8.4-2+deb12u1 (bookworm) |
| mongodb | libbson | < 1.27.5 | 1.27.5 |
| mongodb | mongodb | — | — |
| mongodb | mongodb | >= 7.0.0 < 7.0.16 | 7.0.16 |
| mongodb_inc | libbson | < 1.27.5 | 1.27.5 |
| mongodb_inc | mongodb_server | >= 7.0 < 7.0.16 | 7.0.16 |
| mongodb_inc | mongodb_server | >= 8.0 < 8.0.1 | 8.0.1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian8.4HIGH
vendor_ubuntu4.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
mongo-c-driver vulnerabilities
vendor_ubuntu·2025-07-02·CVSS 4.0
CVE-2024-6383 [MEDIUM] mongo-c-driver vulnerabilities
Title: mongo-c-driver vulnerabilities
Summary: Several security issues were fixed in mongo-c-driver.
Karman Liu discovered that mongo-c-driver did not correctly handle certain
memory operations. An attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. (CVE-2024-6381)
Karman Liu discovered that mongo-c-driver did not correctly handle certain
memory operations. An attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. This issue only affected
Ubuntu 24.04 LTS. (CVE-2024-6383, CVE-2025-0755)
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2025-40906: libbson-xs-perl - BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, w...
vendor_debian·2025·CVSS 7.5
CVE-2025-40906 [HIGH] CVE-2025-40906: libbson-xs-perl - BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, w...
BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities. Those include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755. BSON-XS was the official Perl XS implementation of MongoDB's BSON serialization, but this distribution has reached its end of life as of August 13, 2020 and is no longer supported.
Scope: local
bookworm: open
bullseye: open
Debian
CVE-2025-0755: libbson-xs-perl - The various bson_append functions in the MongoDB C driver library may be suscept...
vendor_debian·2025·CVSS 8.4
CVE-2025-0755 [HIGH] CVE-2025-0755: libbson-xs-perl - The various bson_append functions in the MongoDB C driver library may be suscept...
The various bson_append functions in the MongoDB C driver library may be susceptible to buffer overflow when performing operations that could result in a final BSON document which exceeds the maximum allowable size (INT32_MAX), resulting in a segmentation fault and possible application crash. This issue affected libbson versions prior to 1.27.5, MongoDB Server v8.0 versions prior to 8.0.1 and MongoDB Server v7.0 versions prior to 7.0.16
Scope: local
bookworm: resolved (fixed in 0.8.4-2+deb12u1)
bullseye: resolved (fixed in 0.8.4-1+deb11u1)
OSV
mongo-c-driver vulnerabilities
osv·2025-07-02·CVSS 5.3
CVE-2024-6381 [MEDIUM] mongo-c-driver vulnerabilities
mongo-c-driver vulnerabilities
Karman Liu discovered that mongo-c-driver did not correctly handle certain
memory operations. An attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. (CVE-2024-6381)
Karman Liu discovered that mongo-c-driver did not correctly handle certain
memory operations. An attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. This issue only affected
Ubuntu 24.04 LTS. (CVE-2024-6383, CVE-2025-0755)
GHSA
GHSA-5pww-x83q-7gjh: BSON::XS versions 0
ghsa_unreviewed·2025-05-16·CVSS 7.5
CVE-2025-40906 [HIGH] CWE-1104 GHSA-5pww-x83q-7gjh: BSON::XS versions 0
BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities.
Those include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755.
BSON-XS was the official Perl XS implementation of MongoDB's BSON serialization, but this distribution has reached its end of life as of August 13, 2020 and is no longer supported.
OSV
CVE-2025-40906: BSON::XS versions 0
osv·2025-05-16·CVSS 7.5
CVE-2025-40906 [HIGH] CVE-2025-40906: BSON::XS versions 0
BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities. Those include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755. BSON-XS was the official Perl XS implementation of MongoDB's BSON serialization, but this distribution has reached its end of life as of August 13, 2020 and is no longer supported.
GHSA
GHSA-x43h-8pfv-xx24: The various bson_append functions in the MongoDB C driver library may be susceptible to buffer overflow when performing operations that could result i
ghsa_unreviewed·2025-03-18
CVE-2025-0755 [HIGH] CWE-122 GHSA-x43h-8pfv-xx24: The various bson_append functions in the MongoDB C driver library may be susceptible to buffer overflow when performing operations that could result i
The various bson_append functions in the MongoDB C driver library may be susceptible to buffer overflow when performing operations that could result in a final BSON document which exceeds the maximum allowable size (INT32_MAX), resulting in a segmentation fault and possible application crash. This issue affected libbson versions prior to 1.27.5, MongoDB Server v8.0 versions prior to 8.0.1 and MongoDB Server v7.0 versions prior to 7.0.16
OSV
CVE-2025-0755: The various bson_append functions in the MongoDB C driver library may be susceptible to buffer overflow when performing operations that could result i
osv·2025-03-18·CVSS 7.5
CVE-2025-0755 [HIGH] CVE-2025-0755: The various bson_append functions in the MongoDB C driver library may be susceptible to buffer overflow when performing operations that could result i
The various bson_append functions in the MongoDB C driver library may be susceptible to buffer overflow when performing operations that could result in a final BSON document which exceeds the maximum allowable size (INT32_MAX), resulting in a segmentation fault and possible application crash. This issue affected libbson versions prior to 1.27.5, MongoDB Server v8.0 versions prior to 8.0.1 and MongoDB Server v7.0 versions prior to 7.0.16
GHSA
gix-worktree-state nonexclusive checkout sets executable files world-writable
ghsa·2025-01-21
CVE-2025-22620 [MEDIUM] CWE-281 gix-worktree-state nonexclusive checkout sets executable files world-writable
gix-worktree-state nonexclusive checkout sets executable files world-writable
### Summary
`gix-worktree-state` specifies 0777 permissions when checking out executable files, intending that the umask will restrict them appropriately. But one of the strategies it uses to set permissions is not subject to the umask. This causes files in a repository to be world-writable in some situations.
### Details
Git repositories track executable bits for regular files. In tree objects and the index, regular file modes are stored as 0644 if not executable, or 0755 if executable. But this is independent of how the permissions are set in the filesystem (where supported).
[`gix_worktree_state::checkout`](https://github.com/GitoxideLabs/gitoxide/blob/8d84818240d44e1f5fe78a231b5d9bffd0283918/gix-worktree
OSV
gix-worktree-state nonexclusive checkout sets executable files world-writable
osv·2025-01-18
CVE-2025-22620 gix-worktree-state nonexclusive checkout sets executable files world-writable
gix-worktree-state nonexclusive checkout sets executable files world-writable
### Summary
`gix-worktree-state` specifies 0777 permissions when checking out executable files, intending that the umask will restrict them appropriately. But one of the strategies it uses to set permissions is not subject to the umask. This causes files in a repository to be world-writable in some situations.
### Details
Git repositories track executable bits for regular files. In tree objects and the index, regular file modes are stored as 0644 if not executable, or 0755 if executable. But this is independent of how the permissions are set in the filesystem (where supported).
[`gix_worktree_state::checkout`](https://github.com/GitoxideLabs/gitoxide/blob/8d84818240d44e1f5fe78a231b5d9bffd0283918/gix-worktree
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-03-18
Published