What is CVE-2025-40906?

CVE-2025-40906 is a vulnerability in Mongodb Bson::xs, classified under CWE-1395. Published 2025-05-16.

Is CVE-2025-40906 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Buffer overflow in Mongodb Bson::xs

CVE-2025-40906

BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities. Those include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755. BSON-XS was…

EPSS: 0.006 (69.8th percentile) — read the EPSS interpretation.

Affected products

Mongodb Bson::xs — versions 0

Weakness classification (CWE)

CWE-1395
CWE-1104
CWE-122 — Heap-based Buffer Overflow
CWE-190 — Integer Overflow or Wraparound

Public proof-of-concept exploits

fkie-cad/nvd-json-data-feeds

References

lists.debian.org/debian-lts-announce/2025/05/msg00012.html (mailing-list)
www.mongodb.com/community/forums/t/mongodb-perl-driver-end-of-life/7890 (vendor-advisory)

Frequently asked questions

What is CVE-2025-40906?: CVE-2025-40906 is a vulnerability in Mongodb Bson::xs, classified under CWE-1395. Published 2025-05-16.
Is CVE-2025-40906 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.