CVE-2025-40906 | BSON::XS versions 0.8.4 and earlier for Perl includes a bund… | CVSS 9.8 CRITICAL

Description

BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities. Those include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755. BSON-XS was the official Perl XS implementation of MongoDB's BSON serialization, but this distribution has reached its end of life as of August 13, 2020 and is no longer supported.

Metadata

CVE ID: CVE-2025-40906
State: PUBLISHED
Assigner: CPANSec
Reserved: 2025-04-16 09:05 UTC
Published: 2025-05-16 15:15 UTC
Last updated: 2025-09-09 13:54 UTC
Primary CWE: CWE-1395
CWE-1395 Dependency on Vulnerable Third-Party Component
Vendor / Product: MONGODB / BSON::XS
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
MONGODB	BSON::XS	—	0 ≤ 0.8.4

Weakness (CWE)

CWE	Source	Description
CWE-1104	cna	CWE-1104 Use of Unmaintained Third Party Components
CWE-122	cna	CWE-122 Heap-based Buffer Overflow
CWE-1395	cna	CWE-1395 Dependency on Vulnerable Third-Party Component
CWE-190	cna	CWE-190 Integer Overflow or Wraparound

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	adp	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (2)