Permalink
CVE-2025-40906
9.8 CRITICAL
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): HIGH
BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities
BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities. Those include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755. BSON-XS was the official Perl XS implementation of MongoDB's BSON serialization, but this distribution has reached its end of life as of August 13, 2020 and is no longer supported.
References
- https://www.mongodb.com/community/forums/t/mongodb-perl-driver-end-of-life/7890 vendor-advisory
- https://lists.debian.org/debian-lts-announce/2025/05/msg00012.html mailing-list
- https://lists.debian.org/debian-lts-announce/2025/05/msg00012.html mailing-list
- https://www.mongodb.com/community/forums/t/mongodb-perl-driver-end-of-life/7890 vendor-advisory
- https://lists.debian.org/debian-lts-announce/2025/05/msg00012.html mailing-list
- https://www.mongodb.com/community/forums/t/mongodb-perl-driver-end-of-life/7890 vendor-advisory
- https://lists.debian.org/debian-lts-announce/2025/05/msg00012.html mailing-list
- https://www.mongodb.com/community/forums/t/mongodb-perl-driver-end-of-life/7890 vendor-advisory
Affected products
BSON-XS
- =<0.8.4
Matching in nixpkgs
pkgs.perlPackages.BSONXS
XS implementation of MongoDB's BSON serialization (EOL)
-
nixos-unstable -
- nixpkgs-unstable 0.8.4
pkgs.perl538Packages.BSONXS
XS implementation of MongoDB's BSON serialization (EOL)
-
nixos-unstable -
- nixpkgs-unstable 0.8.4
pkgs.perl540Packages.BSONXS
XS implementation of MongoDB's BSON serialization (EOL)
-
nixos-unstable -
- nixpkgs-unstable 0.8.4