CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-40906 – BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities
https://notcve.org/view.php?id=CVE-2025-40906
16 May 2025 — BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities. Those include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755. BSON-XS was the official Perl XS implementation of MongoDB's BSON serialization, but this distribution has reached its end of life as of August 13, 2020 and is no longer supported. • https://lists.debian.org/debian-lts-announce/2025/05/msg00012.html • CWE-1104: Use of Unmaintained Third Party Components CWE-1395: Dependency on Vulnerable Third-Party Component •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-2391 – JS-bson may incorrectly serialise some requests
https://notcve.org/view.php?id=CVE-2019-2391
31 Mar 2020 — Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure. This issue affects: MongoDB Inc. js-bson library version 1.1.3 and prior to. El análisis incorrecto de determinada entrada JSON puede resultar en que js-bson no serialice correctamente BSON. Esto puede causar un comportamiento inesperado de la aplicación, incluyendo una divulgación de los datos. • https://github.com/mongodb/js-bson/releases/tag/v1.1.4 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-7610
https://notcve.org/view.php?id=CVE-2020-7610
30 Mar 2020 — All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type. Todas las versiones de bson anteriores a 1.1.4, son vulnerables a la Deserialización de Datos No Confiables. El paquete ignorará un valor desconocido para un _bsotype de objeto, conllevando a casos donde un objeto es serializado como un documento en lugar del t... • https://snyk.io/vuln/SNYK-JS-BSON-561052 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 3%CPEs: 3EXPL: 2CVE-2015-4411
https://notcve.org/view.php?id=CVE-2015-4411
20 Feb 2020 — The Moped::BSON::ObjecId.legal? method in mongodb/bson-ruby before 3.0.4 as used in rubygem-moped allows remote attackers to cause a denial of service (worker resource consumption) via a crafted string. NOTE: This issue is due to an incomplete fix to CVE-2015-4410. El método Moped::BSON::ObjecId.legal? en mongodb/bson-ruby, versiones anteriores a 3.0.4, como es usado en rubygem-moped, permite a atacantes remotos causar una denegación de servicio (consumo de recursos de worker) por medio de una cadena diseña... • http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161964.html • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2018-13863
https://notcve.org/view.php?id=CVE-2018-13863
10 Jul 2018 — The MongoDB bson JavaScript module (also known as js-bson) versions 0.5.0 to 1.0.x before 1.0.5 is vulnerable to a Regular Expression Denial of Service (ReDoS) in lib/bson/decimal128.js. The flaw is triggered when the Decimal128.fromString() function is called to parse a long untrusted string. El módulo bson JavaScript de MongoDB (tambiñen conocido como js-bson) desde la versión 0.5.0 hasta las versiones 1.0.x anteriores a la 1.0.5 es vulnerable a una denegación de servicio (DoS) por expresiones regulares e... • https://github.com/ossf-cve-benchmark/CVE-2018-13863 •