CRITICAL🇵🇱 Wersja polska

CVE-2025-40906

CVSS 9.8v3.1pub. 2025-05-16upd. 2026-04-15

BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities. Those include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755. BSON-XS was the official Perl XS implementation of MongoDB's BSON serialization, but this distribution has reached its end of life as of August 13, 2020 and is no longer supported.

🤖 AI Analysis
How it works

The vulnerability results from the inclusion of the outdated libbson 1.1.7 library directly in the BSON::XS package (CWE-1104 — use of unsupported third-party component). This library contains heap buffer overflow errors (CWE-122) and integer overflow bugs (CWE-190), classified as CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755. An attacker can supply specially crafted BSON data that triggers vulnerable code paths in the libbson library during deserialization.

Impact

Exploitation of the vulnerability may enable an attacker to achieve remote code execution (RCE), disclose sensitive data, or cause application failure — all without requiring authentication and user interaction, which is confirmed by the CVSS vector AV:N/AC:L/PR:N/UI:N.

Mitigation & patch

No updates are available — the BSON::XS distribution reached end of life on August 13, 2020 and is no longer supported. It is recommended to immediately stop using this package and migrate to alternative, actively maintained BSON libraries for Perl. You should consult the vendor references indicated in the vulnerability description.

Who is affected

BSON::XS in version 0.8.4 and earlier for Perl containing the included libbson 1.1.7 library

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References