CVE-2025-0755

The various bson_appendfunctions in the MongoDB C driver library may be susceptible to buffer overflow when performing operations that could result in a final BSON document which exceeds the maximum allowable size (INT32_MAX), resulting in a segmentation fault and possible application crash. This issue affected libbson versions prior to 1.27.5, MongoDB Server v8.0 versions prior to 8.0.1 and MongoDB Server v7.0 versions prior to 7.0.16
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.4 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mongodbCNA
8.4 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 3%
Debian logo
Debian Releases
Debian Product
Codename
libbson-xs-perl
bullseye
vulnerable
bullseye (security)
0.8.4-1+deb11u1
fixed
bookworm
0.8.4-2+deb12u1
fixed
mongo-c-driver
bullseye
vulnerable
bullseye (security)
1.17.6-1+deb11u1
fixed
bookworm
1.23.1-1+deb12u1
fixed
trixie
1.30.3-1
fixed
sid
1.30.4-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
mongo-c-driver
plucky
not-affected
oracular
not-affected
noble
needs-triage
jammy
needs-triage
focal
needs-triage
Common Weakness Enumeration
References
https://jira.mongodb.org/browse/CDRIVER-5601
https://jira.mongodb.org/browse/SERVER-94461