SecuriTricks - CVE-2025-0755

Description

The various bson_append functions in the MongoDB C driver library may be susceptible to buffer overflow when performing operations that could result in a final BSON document which exceeds the maximum allowable size (INT32_MAX), resulting in a segmentation fault and possible application crash. This issue affected libbson versions prior to 1.27.5, MongoDB Server v8.0 versions prior to 8.0.1 and MongoDB Server v7.0 versions prior to 7.0.16

Product(s) Impacted

Vendor	Product	Versions
Mongodb	Libbson Mongodb Server	* 8.0, 7.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-122

Heap-based Buffer Overflow

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	mongodb	libbson	/	/	/	/	/	/	/	/
a	mongodb	mongodb_server	8.0	/	/	/	/	/	/	/
a	mongodb	mongodb_server	7.0	/	/	/	/	/	/	/

References

https://jira.mongodb.org/browse/SERVER-94461

CVSS Score

8.4 / 10

CVSS Data - 3.1

Attack Vector: LOCAL
Attack Complexity: LOW
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: HIGH
Integrity Impact: HIGH
Availability Impact: HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

View Vector String

Timeline

Published: March 18, 2025, 9:15 a.m.
Last Modified: March 18, 2025, 9:15 a.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cna@mongodb.com

CVE-2025-0755