CVE-2025-0755

The various bson_appendfunctions in the MongoDB C driver library may be susceptible to buffer overflow when performing operations that could result in a final BSON document which exceeds the maximum allowable size (INT32_MAX), resulting in a segmentation fault and possible application crash. This issue affected libbson versions prior to 1.27.5, MongoDB Server v8.0 versions prior to 8.0.1 and MongoDB Server v7.0 versions prior to 7.0.16
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.4 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mongodbCNA
8.4 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 21%
VendorProductVersion
mongodblibbson
𝑥
< 1.27.5
mongodbmongodb
7.0.0 ≤
𝑥
< 7.0.16
mongodbmongodb
8.0.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libbson-xs-perl
bullseye
vulnerable
bullseye (security)
0.8.4-1+deb11u1
fixed
bookworm
0.8.4-2+deb12u1
fixed
mongo-c-driver
bullseye
vulnerable
bullseye (security)
1.17.6-1+deb11u1
fixed
bookworm
1.23.1-1+deb12u1
fixed
trixie
1.30.4-1
fixed
forky
2.1.2-1
fixed
sid
2.1.2-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
mongo-c-driver
plucky
not-affected
oracular
not-affected
noble
Fixed 1.26.0-1.1ubuntu2+esm1
released
jammy
ignored
focal
ignored
Common Weakness Enumeration
References
https://jira.mongodb.org/browse/CDRIVER-5601
https://jira.mongodb.org/browse/SERVER-94461